Download - Network static Lab workbook
The Brest LaboratoryDoosthofer Weg 821698 BrestGermanyhttp://www.brest-lab.net
Logbook Section 1
The Static LaboratoryVersion 0.99
November 2002
Markus Boingmailto://[email protected]
D R A F TTODO: Update router configuration profiles
Concept: November 24, 2002 1
i
Contents
1 Introduction 11.1 Document Purpose 11.2 Research Resources 1
2 Network Architecture 52.1 Topology Overview 52.2 Design Considerations 52.3 Design Constraints 5
3 Office Network 73.1 Physical Design 73.2 Logical Design 83.3 Network Services 83.3.1 Internet Access 83.3.2 DHCP 93.3.3 DNS 93.3.4 TFTP 93.3.5 Printing 93.3.6 X11 9
4 Lab Network 124.1 Physical Design 124.1.1 Software 13
IOS-MPLS 13NetBSD-MPLS 13IOS-Edge 13NetBSD-Core 13IOS-Pagent 13Configuration Files 13
4.1.2 Hardware 154.2 Logical Design 16
Zebra OSPFd 164.2.1 MPLS 184.2.2 IPv6 19
Topology 19Physical Design 19Addressing 19Routing 20Host Access 21
5 Network Services 275.1 DNS 275.2 FTP and TFTP 275.3 Logging 275.4 NTP 275.5 Printing 27
Concept: November 24, 2002 2
ii
5.6 netdb (http://www.net.cmu.edu/netreg/) 275.7 VideoLAN (www.videolan.org) 275.8 Kismet (www.kismetwireless.net) 275.9 Network Verification Toolkit 285.9.1 Some Tools that come with IOS 28
Service Assurance Agent 28Traffic Matrix Statistics 29
5.9.2 Pagent 32LNE BGP 33LNE OSPF 35TGN 38
5.9.3 Expect 425.9.4 Ploticus 435.9.5 NRFU 455.9.6 Cricket and RRDTool 465.9.7 MRTG 475.9.8 Ethereal (www.ethereal.com) 515.9.9 Etherape (etherape.sourceforge.net) 515.10 Authentication Services 525.10.1 RADIUS 525.11 Security Toolkit 53
A Configuration Log 54A.1 Basic IPv4 Configuration 54A.1.1 Common Configuration - NTP, SNMP, Administrative Access 54A.1.2 Common Configuration - RADIUS 56A.1.3 Router Core1 - IPv4 58A.1.4 Router Core2 - IPv4 61A.1.5 Router Core3 - IPv4 64A.1.6 Router Core4 - IPv4 67A.1.7 Router Edge1 - IPv4 68A.1.8 Router Edge2 - IPv4 70A.1.9 Router Zerberus - IPv4 72A.1.10 Host Anchor - IPv4 73A.1.11 Host Dinghy - IPv4 74A.2 IPv6 Configuration 78A.2.1 Router Anchor - IPv6 78A.2.2 Router Dinghy - IPv6 84A.2.3 Router Edge1 - IPv6 89A.2.4 Router Edge2 - IPv6 91A.2.5 Router Core4 - IPv6 93A.3 RADIUS 99A.4 Ploticus 101A.5 MRTG 104A.6 Expect 107
B Problem and Resolution Log 113B.1 2002-09-00 - Installing NetBSD on SGI Indy 113B.1.1 Status: SOLVED 113B.1.2 Symptom 113
Concept: November 24, 2002 3
iii
B.1.3 Analysis 113B.1.4 Solution 114B.1.5 Symptom 115B.1.6 Analysis 115B.1.7 Solution 115B.1.8 Symptom 115B.1.9 Analysis 115B.1.10 Solution 116B.2 2001-10-06 - GateD: No IP forwarding 117B.2.1 Status: SOLVED 117B.2.2 Symptom 117B.2.3 Analysis 117B.2.4 Solution 117B.3 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency 118B.3.1 Status: SOLVED 118B.3.2 Symptom 118B.3.3 Analysis 120B.3.4 Solution 123B.4 2001-03-17 - RADIUS on DEC Alpha running NetBSD 124B.4.1 Status: OPEN 124B.4.2 Symptom 124B.4.3 Analysis 124B.4.4 Solution 126
C Activity Log 127C.1 How to add IPv6 to the Lab Network 127C.1.1 Configure Route Reflectors 127
Enable IPv6 on Anchor and Dinghy 127Configure IPv6 Addresses on Ethernet and Loopback Interfaces 128Create Tunnel between Anchor and Dinghy 128Configure iBGP between Anchor and Dinghy 130
C.1.2 Configure Cisco Edge Router 136Enable IPv6 on Edge Router 136Configure Tunnels 136Configure BGP on Route Reflectors 138Configure BGP on Cisco Edge Router 140Test Static Route and Tunnel 141Check BGP 142Configure RIPv6 150
C.1.3 Configure NetBSD/Zebra Edge Router 152C.2 Configuring DJBDNS 153
D Xyplex MaxServer 1600 158D.1 Access Server Administrator’s Primer 158D.1.1 Bootstrap 158
Software Image 158D.1.2 Parameter File 159D.1.3 Login 160D.1.4 Configuration 160D.1.5 Rebooting 162
Concept: November 24, 2002 4
iv
D.1.6 Normally NOT Suggested 163D.1.7 Additional Information 164D.1.8 Additional Documentation and Resources 164D.2 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults 166D.2.1 Configuring MX1600 To Load Image Via DTFTP 168D.3 Configuring SYSLOG On Access Servers 171D.3.1 Configure the Access Server for SYSLOGD 171D.3.2 *Setting a Priority Number 171D.3.3 Configure the Unix Host for SYSLOGD 172
Document History 173
Concept: November 24, 2002 5
v
Figures
2.1 Network Architecture 63.1 Office Network - Physical Design 103.2 Office Network - Logical Design 114.1 Lab Network - Physical Design 224.2 Lab Network - Logical Design 234.3 Lab Network - IPv6 Logical Design 244.4 Lab Network - IPv6 Routing 254.5 Lab Network - MPLS Logical Design 265.1 Pagent TGN 415.2 Expect script rtr3 425.3 Example of a Ploticus CPU utilization graph 435.4 Example of a Ploticus memory utilization graph 445.5 Example of a MRTG CPU utilization graph 485.6 Example of a MRTG memory utilization graph 495.7 Example of a MRTG free memory graph 50
Concept: November 24, 2002 6
vi
Tables
3.1 Office Network - Inventory 73.2 Office Network - IP Address Assignment 84.1 Lab Network - Inventory 154.2 Lab Network - IP Address Assignment 171 Document History 173
Concept: November 24, 2002 7
1
1 Introduction
During the course of my lab sessions I found myself frequently re-cabling boxes and typing basicconfiguration statements into routers. I thought it would be convenient to have a default laboratoryconfiguration that does support a wide variety of experiments without significant changes in the physicalsetup.
Also I found myself occasionally in a situation where my wife wanted to so something fancy, such asprinting a letter or surfing the web, and could not do so because I was using the equipment.
To solve my problem I developed a network architecture that is separated in two parts, an office networkand a laboratory network.
Office network (also termed ”production network”) provides a stable environment for tasks that arenot directly related to laboratory work such as providing Internet access to my family. However, theservices of the office network are also available to the laboratory network.
Laboratory network provides the network engineers playground.
1.1 Document Purpose
Purpose of this document is describing both office and laboratory network including:
• Network architecture
• Network services
• Devices and device configuration
• Key software tools used in the network
• ”Cheat sheet” for common configuration problems
• Problem and problem resolution log
1.2 Research Resources
Cisco Router Cisco’s web site (http://www.cisco.com/tac/) provides a wealth of information for thenetwork professional ranging from networking basics to in-depth treatment of Cisco products.
SNMP Object Navigator http://www.cisco.com/cgi-bin/Support/Mibbrowser/unity.pl
Xylan PizzaSwitch Xylan has been aquired by Alcatel (http://www.ind.alcatel.com/). Some of theold PizzaSwitches (at least parts of them) are still alive under the name OmniSwitch.
Xyplex Terminal Server iTouch Communications (http://www.itouchcom.com/) has taken over theold Xyplex product line.1
The documentation used to be at the URL http://www.nbase-xyplex.com/support/documentation/ and documentation1
specific to the Maxserver 1600 was available at the URL http://www.nbase-xyplex.com/support/documentation/product/guide/index.cfm?doc=accessserver.
Concept: November 24, 2002 8
Introduction Research Resources
2
Conserver (http://www.conserver.com/) is an application that allows multiple users to watch a serialconsole at the same time. It can log the data, allows users to take write-access of a console (one ata time), and has a variety of bells and whistles to accentuate that basic functionality. The idea isthat conserver will log all your serial traffic so you can go back and review why something crashed,look at changes (if done on the console), or tie the console logs into a monitoring system (justwatch the logfiles it creates). With multi-user capabilities you can work on equipment with others,mentor, train, etc. It also does all that client-server stuff so that, assuming you have a networkconnection, you can interact with any of the equipment from home or wherever.
The Greater Scroll of Console Knowledge (http://www.conserver.com/consoles/) provides links tovarious pages with information regarding serial ports, console servers, and the Conserver program.
Stokely Consulting (http://www.stokely.com/) provides Unix serial port and system administratorresources.
tcpdump The home page of tcpdump and libpcap can be found at the URL http://www.tcpdump.org/.
Ethereal is a network protocol analyzer for Unix and Win32. The home page of Ethereal can be foundat the URL http://www.ethereal.com/.
Scotty The home page of Scotty can be found at the URL http://wwwhome.cs.utwente.nl/ schoenw/scotty/.Information on Scotty and other network management tools, such as libsmi, can be found at theTU Braunschweig at the URL http://www.ibr.cs.tu-bs.de/projects/nm/.
libsmi The home page of the libsmi library can be found at the URL http://www.ibr.cs.tu-bs.de/projects/libsmi/.
GxSNMP is a network management application for the GNOME project. The home page of GxSNMPcan be found at the URL http://www.gxsnmp.org.
http://www.snmplink.org/ This site provides links and information about SNMP/MIB etc. It facil-itates a good list of SNMP and network management related tools.
MRTG (Multi Router Traffic Grapher) is a tool to monitor the traffic load on network links. MRTGgenerates HTML pages containing graphical images which provide a live visual representation ofthis traffic. The home page of MRTG (Multi Router Traffic Grapher) can be found at the URLhttp://ee-staff.ethz.ch/ oetiker/webtools/mrtg/mrtg.html.
RRDTool is a system to store and display time-series data such as network bandwidth utilization. Itstores the data in a very compact way that will not expand over time, and it presents useful graphsby processing the data to enforce a certain data density. It can be used either via simple wrapperscripts (from shell or Perl) or via frontends that poll network devices and put a friendly user interfaceon it.
If you know MRTG, you can think of RRDtool as a reimplementation of MRTGs graphing andlogging features. Magnitudes faster and more flexible than you ever thought possible
The home page of RRDTool can be found at the URL http://www.rrdtool.org/.
Cricket is a very flexible system for monitoring trends in time-series data. Cricket was expresslydeveloped to help network managers visualize and understand the traffic on their networks. It hastwo components, a collector and a grapher. The collector runs periodically from cron and storesdata into a data structure managed by RRDTool. Later, when you want to check on the data youhave collected, you can use a web-based interface to view graphs of the data.
Concept: November 24, 2002 9
Introduction Research Resources
3
Cricket reads a set of configuration files called a config tree. The config tree expresses everythingCricket needs to know about the types of data to be collected, how to get it, and from which targetsit should collect data. The config tree is designed to minimize redundant information, making itcompact and easy to manage, and preventing silly mistakes from occurring due to copy-and-pasteerrors.
The home page of Cricket can be found at the URL http://cricket.sourceforge.net/.
OpenNMS is an open-source project dedicated to the creation of an enterprise grade network manage-ment platform. The home page of OpenNMS can be found at the URL http://www.opennms.org/.
Zebra is free software (distributed under GNU Generic Public License) that manages TCP/IP basedrouting protocols. The Zebra home page can be found at the URL http://www.zebra.org/.
The MRT project is researching routing software architectures, protocols and tools. The MRT (Multi-threaded Routing) toolkit has been used to build a wide variety of tools, ranging from productionInternet and 6bone routing daemons to BGP fault-injection and traffic generation test packages.MRT software is in active use providing stress testing of commercial routers, collecting and analyzingInternet routing traffic for researchers, and serving as routing software connecting networks to theInternet and the 6Bone.
MRT is no longer actively developed.
The MRT home page can be found at the URL http://merit.edu/mrt/.
GateD routing software is no longer available to the public. See http://www.gated.org for moredetails.
Nessus is a free, powerful, up-to-date and easy to use remote security scanner. A security scanner isa software which will audit remotely a given network and determine whether bad guys may breakinto it, or misuse it in some way.
The Nessus home page can be found at the URL http://www.nessus.org/.
Nmap (Network Mapper) is an open source utility for network exploration or security auditing. It wasdesigned to rapidly scan large networks, although it works fine against single hosts. Nmap uses rawIP packets in novel ways to determine what hosts are available on the network, what services theyare offering, what operating system they are running, what type of packet filters/firewalls are inuse, and dozens of other characteristics. Nmap runs on most types of computers, and both consoleand graphical versions are available. Nmap is free software, available with full source code underthe terms of the GNU GPL.
The Nmap home page can be found at the URL http://www.insecure.org/nmap/.
ntop is a network traffic probe that shows the network usage, similar to what the popular top Unixcommand does. ntop is based on libpcap and it has been written in a portable way in order tovirtually run on every Unix platform and on Win32 as well. ntop comes with two applications: The”classical” ntop that sports an embedded web server, and intop (interactive ntop) which is basicallya network shell based on the ntop engine.
The ntop home page can be found at http://www.ntop.org/.
NTP
SNI PC
Concept: November 24, 2002 10
Introduction Research Resources
4
Edimax (http://www.edimax.com/) manufactures the PS-1000A+ print server.
http://www.netbsd.org/Ports/alpha/ The NetBSD/alpha site provides a lot of good informationon DEC Alpha machines. Chris Demetriou’s Alpha documentation reference list discusses availableDEC Alpha documentation. Very good!
http://ftp.digital.com/pub/DEC/Alpha/firmware/ This site provides Alpha systems firmware up-dates.
ftp://gatekeeper.dec.com/pub/ This is the old public domain software site of DEC. Has still somegood (old) stuff on it.
http://www.compaq.com/alphaserver/workstations/retired/index.html The site provides infor-mation, such as user guides or system specification, regarding retired Alpha workstations. Willprobably not stay around for long now that HP owns Compaq/DEC.
http://www.netbsd.org/Ports/sgimips/faq.html The NetBSD/sgimips site provides a lot of infor-mation regarding NetBSD on SGI machines.
http://futuretech.mirror.vuurwerk.net/sgi.html This site provides a lot of information regardingSGI and Irix, including a network installation guide for Irix.
http://www.reputable.com/indytech.html This site provides a lot of technical information regard-ing SGI Indy.
http://www.sgi.com/ The web site of SGI.
Concept: November 24, 2002 11
5
2 Network Architecture
2.1 Topology Overview
The network has two main components:
• Office or production network
• Laboratory network
2.2 Design Considerations
The network architecture was designed with the following considerations in mind.
• The office network shall provide basic services (Internet access, printing) using as little equipmentas possible.
• Services and resources of the office network, such as Internet access and printing, shall be availableto the lab network as well.
• Services of the office network must not depend on the lab network or parts of it.
• Key components of the office network shall not be used in labs. Reconfiguration of devices (Internetaccess router) impacting basic services of the office network should be avoided.
• The lab network should be flexible enough to allow setting up a variety of network designs withoutre-cabling the devices.
• The lab network should provide configuration modules/procedures that speed up the process ofgenerating configurations for specific lab set ups.
• The lab network should provide test procedures to validate correct operation of the baseline network.
• The lab network should provide a tool chest for common tasks, such as gathering performance data,in various experiments.
2.3 Design Constraints
• Lack of time.
• Lack of money.2
• Lack of space.
Leading to lack of flash memory in my routers.2
Concept: November 24, 2002 12
Network Architecture Design Constraints
6
$Id:
sta
tic-la
b-2-
offic
e.gr
affle
,v 1
.3 2
002/
08/1
2 15
:24:
36 m
arku
s Ex
p $
Stat
ic La
b - I
nter
facin
g be
twee
n La
bora
tory
and
Pro
duct
ion
Netw
ork
http://www.brest-lab.netIn
tern
etc1
603
Zer
ber
us
iBo
ok
Fruc
htzw
erg
DE
C A
lpha
Anc
hor
Air
one
t 35
0Ti
gere
nte
.2
.1
c250
1E
dge
1c2
501
Cor
e2c2
501
Cor
e1c2
501
Cor
e3c2
503
Ed
ge2
Frame Relay
Frame Relay
Frame Relay
Frame Relay
.254
c450
0MP
agen
t
Pro
duc
tio
nN
etw
ork
Lab
ora
tory
Net
wo
rk
IP 1
72.1
6.25
4.0/
24
Ethe
rnet
Ethe
rnet
i386
Ed
ge3
Figure 2.1 Network Architecture
Concept: November 24, 2002 13
7
3 Office Network
3.1 Physical Design
The office network is designed around a 10 MBit/sec Ethernet hub. This are the main components ofthe network:
Zerberus is a Cisco 1603 router providing Internet connectivity and DHCP service.
Radio is a Cisco Access Point 350 providing wireless access to the office network.
Fruchtzwerg is a beautiful Apple iBook used as workstation.
Printer is a HP Deskjet 520 printer attached to the Ethernet hub using an Edimax PS-1000A+ printserver.
Anchor is a DEC Alpha Station 200 4/233 providing services such as DNS, NTP, and SYSLOG.Anchor is basically a lab box and not required for operation of the office network. Zerberus providesT-Online name server addresses to DHCP clients. DNS service on node Anchor is limited to the labnetwork.
Max is a Xyplex MaxServer 1600 terminal server attached to the Ethernet hub providing access to theconsole ports of lab devices. It is not required for operation of the office network.
Name Vendor Model OS Memory Hard Disk NIC
Zerberus Cisco 1603 IOS 12.2(8)T5 10 MB DRAM none Ethernet0
IP+ feature set 16 MB Flash BRI0
Anchor DEC Alpha Station NetBSD 1.6 128 MB 9 GB tlp0
200 4/233 ep0
Fruchtzwerg Apple iBook MacOS 10.1.5 256 MB 18 GB en0
CD-RW en1
Radio Cisco AP 350 AP 11.21 fec0
awc0
Max Xyplex MaxServer 1600 ? ? none Ethernet0
16 async
Printer Edimax PS-1000A+ v9.6 none 10BaseT
Table 3.1 Office Network - Inventory
Concept: November 24, 2002 14
Office Network Logical Design
8
3.2 Logical Design
The office network uses the IPv4 protocol3 with addresses from the RFC 1918 address space 172.16.254.0/24.
Router Zerberus has a default route pointing to its Dialer1 interface. Hosts in the office network havea default route pointing to the Ethernet interface (172.16.254.1) of router Zerberus.
The laboratory network can be connected to an Ethernet port of the office network. Router Zerberus hasstatic routes (192.168.0.0/16, 172.16.0.0/16, 10.0.0.0/8) to the laboratory network configured. Thenext hop interface of the routes is 172.16.254.254. The laboratory router connecting to the productionnetwork has this address configured on its Ethernet interface. It has a default route configured pointingto 172.16.254.1. This default route can be propagated to other routers in the laboratory network.
Host Anchor can be connected to the laboratory network using a free LAN card.
Name Interface IP Address Remark
Zerberus Ethernet0 172.16.254.1 Internet router
Zerberus Dialer1 negotiated Internet via T-Online
Anchor tlp0 172.16.254.2 Server
Anchor ep0 DHCP Interface to lab network
172.16.254.3 unassigned
Printer Ethernet 172.16.254.4 Print Server
Max Ethernet 172.16.254.5 Console server for lab routers
Radio fec0 172.16.254.6 Access point Ethernet
Radio awc0 172.16.254.6 Access point radio
172.16.254.7 unassigned
172.16.254.8 unassigned
172.16.254.9 unassigned
172.16.254.10 unassigned
172.16.254.11 Begin of DHCP pool served by Zerberus
. . .
172.16.254.254 Interface to the lab network
Table 3.2 Office Network - IP Address Assignment
3.3 Network Services
3.3.1 Internet Access
Router Zerberus provides Internet access to the office and lab network.
TODO: NAT, dialer list, etc.
Zerberus and Anchor run IPv6-enabled software.3
Concept: November 24, 2002 15
Office Network Network Services
9
3.3.2 DHCP
Router Zerberus provides DHCP service for the office network. It provides a requesting node withIP address, default gateway (172.16.254.1), name server (194.25.2.133, 194.25.2.132, 194.25.2.131,194.125.2.130), and domain name (brest-lab.net) information.
3.3.3 DNS
Node Anchor provides DNS service to the lab network. Please refer to page 27 for a detailed descriptionof the service implementation.
3.3.4 TFTP
Node Anchor provides TFTP boot service. A boot image for the Xyplex terminal server resides in thedirectory /tftpboot/xyplex. Boot images for SGI Indy resides in the directory /tftpboot/netbsd.
Please refer to page 27 for a detailed description of the service implementation.
3.3.5 Printing
Anchor Node Anchor uses CUPS (http://www.cups.org/) as printing system. Please refer to page 27for a detailed description of the implementation.
Fruchtzwerg Printing to the network attached HP Deskjet is configured according to ”BalthisarsGuide to Non-Supported Mac OS X Printing” (http://www.balthisar.com/printing/).
3.3.6 X11
Anchor Despite the fact that node Anchor is a head-less workstation4 it does have the X11 systeminstalled. Since it does not have a graphics controller or monitor no fancy X11 server configurationis required.
Fruchtzwerg Node Fruchtzwerg has the XDarwin X11 server (http://www.xdarwin.org/) and theOroborOSX window manager (http://wrench.et.ic.ac.uk/adrian/) installed. X11 clients on nodeAnchor can display using the X11 server hosted on node Fruchtzwerg.
”Head-less” means it does not have a graphics controller or monitor attached to it. The machine uses a serial console4
device.
Concept: November 24, 2002 16
Office Network Network Services
10
$Id: office-physical-topology.graffle,v 1.5 2002/10/09 15:54:54 markus Exp $
Office Network - Physical Design
http
://ww
w.br
est-l
ab.n
et
Cisco 1603Zerberus
IOS-Firewall
Dia1
Eth0
IP: negotiated
IP: 172.16.254.1/24
LaboratoryNetwork
IP: 10.0.0.0/8IP: 172.16.0.0/16IP: 192.168.0.0/16
IP: 0.0.0.0/0
8-port Ethernet Hub
DEC AS200Anchor
NetBSD-Core
tlp0
ep0
IP: 172.16.254.2/24
IP: 172.16.254.6/24
Cisco AP 350Radio
AP S/W 11.21
fec0
awc0
IP: DHCP
InternetT-Online
XyplexMaxServer 1600
Maxv7.?
Eth0
IP: 172.16.254.4/24
HP Deskjet 520Printer
Print Server
IP: 172.16.254.5/24
Apple iBookFruchtzwerg
MacOS X 10.1.5
en1
en0
IP: 1
72.1
6.25
4.25
4/24
IP: DHCP
IP: 172.16.254.6/24
Figure 3.1 Office Network - Physical Design
Concept: November 24, 2002 17
Office Network Network Services
11
$Id: office-logical-design.graffle,v 1.2 2002/08/13 13:26:59 markus Exp $
Office Network - Logical Design
http
://ww
w.br
est-l
ab.n
et
Lab NetworkIP: 10.0.0.0/8
IP: 172.16.0.0/16IP: 192.168.0.0/16
Internet
Zerberus
172.16.254.1
IP negotiated
Lab Router
172.16.254.254
Lab IP address
DHCPClient
Anchor
IP DHCP
172.
16.2
54.2
0.0.0.0/0
0.0.0.0/0 0.0.0.0/0
10.0.0.0/8172.16.0.0/16
192.168.0.0/16
Static Route
Office NetworkIP: 172.16.254.0/24
NATDHCP server
Name server
Figure 3.2 Office Network - Logical Design
Concept: November 24, 2002 18
12
4 Lab Network
4.1 Physical Design
The static lab network consists mainly of five Cisco 2500 series routers. The routers are daisy-chainedvia their serial interfaces using back-to-back cables. Core routers act as Frame Relay switches thusproviding the capability to implement a variety of different logical topologies. Per convention interfaceSerial0 will always provide clocking. A diagram of the physical design can be found on page 22.
This are the main components of the static lab network:
Core1 is a Cisco 2501 router running IOS-MPLS software.
Core2 is a Cisco 2501 router running IOS-MPLS software.
Core3 is a Cisco 2501 router running IOS-MPLS software.
Core4 is a i386 PC running NetBSD-MPLS software.
Edge1 is a Cisco 2501 router running IOS-Edge software.
Edge2 is a Cisco 2503 router running IOS-Edge software.
Anchor is a DEC Alpha Station 200 running NetBSD-Core software.
In basic configuration Anchor serves as IPv4 host. It provides ftp, tftp and syslog services forlab routers. It participates in NTP peering with all lab routers and node Dinghy. Anchor alsoparticipates in OSPF routing. Configuration files for basic operation can be found on page 73.
With additional IPv6 configuration Anchor serves as IPv6 hub router. Configuration files for IPv6operation can be found on page 78.
Dinghy is a SGI Indy running NetBSD-Core software.
In basic configuration Dinghy serves as IPv4 host. It provides ftp, tftp and syslog services for labrouters. It participates in NTP peering with all lab routers and NTP server Anchor. Dinghy alsoparticipates in OSPF routing. Configuration files for basic operation can be found on page 74.
With additional IPv6 configuration Dinghy serves as IPv6 hub router. Configuration files for IPv6operation can be found on page 84.
Pagent is a Cisco 4500m router running IOS-Pagent.
Concept: November 24, 2002 19
Lab Network Physical Design
13
4.1.1 Software
The following software versions are used in the lab.
IOS-MPLS
Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-P-L), Experimental Version 12.0(20011017:155337) [rraszuk-New_reorg_oct17 109]Copyright (c) 1986-2001 by cisco Systems, Inc.Compiled Sat 20-Oct-01 04:12 by rraszuk
NetBSD-MPLS
NetBSD 1.5.2/i386
AYAME 0.3Zebra-AYAME 0.93b
IOS-Edge
Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-IS-L), Version 12.2(11)T, RELEASE SOFTWARE (fc1)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2002 by cisco Systems, Inc.Compiled Thu 01-Aug-02 18:38 by ccai
NetBSD-Core
NetBSD 1.6/alphaNetBSD 1.6/sgimips
Zebra 0.93bGateD 3.6/public
IOS-Pagent
Cisco Internetwork Operating System SoftwareIOS (tm) 4500 Software (C4500-TSPGEN-M), Experimental Version 12.2(20020815:031451) [nkalyan-build 126]Copyright (c) 1986-2002 by cisco Systems, Inc.Compiled Thu 15-Aug-02 03:22 by nkalyan
Pagent version 3.7.0
Configuration Files
Configuration files are subject to version control. The files are stored in RCS.
Concept: November 24, 2002 20
Lab Network Physical Design
14
In case of a Cisco router the following convention will be used. Revision information will be put into thedescription of a routers loopback interface. This way version information can be retrieved easily froma running router. Since a routers configuration can be composed from multiple modules5 a number ofloopback interfaces are used.
The following mapping will be used for the static lab:
• Loopback 0 = Version number of a routers basic IPv4 configuration
• Loopback 1 = Version number of module for common configuration commands
• Loopback 2 = Version number of module RADIUS authentication
• Loopback 3 = Version number of module TACACS authentication
• Loopback 10 = Version number of a routers basic MPLS configuration
• Loopback 11 = Version number of a routers MPLS VPN configuration
• Loopback 20 = Version number of a routers basic IPv6 configuration
On a running router version information can be retrieved by looking at the configuration file:
Core1#write terminal<snip>interface Loopback0description $Id: core1-confg,v 1.3 2002/10/19 15:49:11 markus Exp $ip address 172.16.0.1 255.255.255.255no ip directed-broadcast!interface Loopback1description $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $no ip addressno ip directed-broadcast!interface Loopback10description $Id: core1-mpls-confg,v 1.3 2002/10/24 14:26:21 markus Exp $no ip addressno ip directed-broadcast<snip>
Another way of retrieving version information is looking at the interface description:
Core3#show interfaces loopback 0 descriptionInterface Status Protocol DescriptionLo0 up up $Id: core3-confg,v 1.3 2002/10/12 14:30:02 markus Exp $Core3#show interfaces loopback 1 descriptionInterface Status Protocol DescriptionLo1 up up $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $Core3#show interfaces loopback 10 descriptionInterface Status Protocol DescriptionLo10 up up $Id: core3-mpls-confg,v 1.3 2002/10/24 14:26:34 markus Exp $Core3#
Some modules are generic while others are specifically for a router.5
Concept: November 24, 2002 21
Lab Network Physical Design
15
4.1.2 Hardware
Name Vendor Model OS Memory Hard Disk NIC
Core1 Cisco 2501 IOS-MPLS 16 MB DRAM none Ethernet0
8 MB Flash Serial0
Serial1
Core2 Cisco 2501 IOS-MPLS 16 MB DRAM none Ethernet0
8 MB Flash Serial0
Serial1
Core3 Cisco 2501 IOS-MPLS 16 MB DRAM none Ethernet0
8 MB Flash Serial0
Serial1
Core4 SNI Pro C5 NetBSD-MPLS 48 MB DRAM 4 GB rtk0
4 GB rtk1
ne2
Edge1 Cisco 2501 IOS-Edge 16 MB DRAM none Ethernet0
16 MB Flash Serial0
Serial1
Edge2 Cisco 2503 IOS-Edge 16 MB DRAM none Ethernet0
16 MB Flash Serial0
Serial1
BRI0
Cisco Pix 501 PIX 6.1(2) 16 MB DRAM none Ethernet0
Ethernet1
Anchor DEC Alpha Station 200 NetBSD-Core 128 MB DRAM 9 GB tlp0
CD-ROM ep0
Dinghy SGI Indy NetBSD-Core 64 MB DRAM 2 GB sq0
Pagent Cisco 4500m IOS-Pagent 32 MB DRAM none Ethernet0
16 MB Flash Ethernet1
8 MB Bootflash Serial0
Serial1
BRI0
BRI1
BRI2
BRI3
Table 4.1 Lab Network - Inventory
Concept: November 24, 2002 22
Lab Network Logical Design
16
4.2 Logical Design
The static laboratory network uses IPv4 addresses from the RFC 1918 address space.
The static lab uses OSPF as routing protocol for IPv4. All interfaces are in area 0 except the Ethernetinterfaces of edge routers, which are each in its own area.
Zebra OSPFd
Zebra was compiled with the options --enable-snmp, --enable-tcp-zebra, --enable-nssa, --enable-opaque-lsa, --enable-ospf-te, and --enable-multipath=4.
Please note that Zebras OSPF daemon on a NetBSD system requires static routes for the multicastaddresses 224.0.0.5 and 224.0.0.6 in order to establish adjacency with peer routers.
Concept: November 24, 2002 23
Lab Network Logical Design
17
Name Interface IP Address Remark
Core1 Loopback0 172.16.0.1/32
Serial0.100 ip unnumbered loopback0 PVC to Core2 (Trunk)
Serial1.100 ip unnumbered loopback0 PVC to Core3 (Trunk)
Serial0.200 ip unnumbered loopback0 PVC to Edge1 (Access)
Ethernet0 172.16.255.1/24 Trunk link to Core4, Dinghy
Core2 Loopback0 172.16.0.2/32
Serial1.100 ip unnumbered loopback0 PVC to Core1 (Trunk)
Serial1.200 ip unnumbered loopback0 PVC to Core3 (Trunk)
Serial0.100 ip unnumbered loopback0 PVC to Edge1 (Access)
Serial1.300 ip unnumbered loopback0 PVC to Edge2 (Access)
Ethernet0 172.16.254.254/24 Office LAN, Trunk link to Anchor
Core3 Loopback0 172.16.0.3/32
Serial0.100 ip unnumbered loopback0 PVC to Core1 (Trunk)
Serial0.200 ip unnumbered loopback0 PVC to Core2 (Trunk)
Serial1.100 ip unnumbered loopback0 PVC to Edge2 (Access)
Ethernet0 172.16.3.1/30 Trunk link to Core4
Core4 rtk0 172.16.3.2/30 Access link to Core2
rtk1 172.16.3.6/30 Access link to Core3
ne2 10.3.1.1/24 Core4 LAN
Edge1 Loopback0 172.16.0.11/32
Serial1.100 ip unnumbered loopback0 PVC to Core2 (Access)
Serial1.200 ip unnumbered loopback0 PVC to Core1 (Access)
Ethernet0 10.1.1.1/24 Edge1 LAN
Edge2 Loopback0 172.16.0.12/32
Serial0.300 ip unnumbered loopback0 PVC to Core2 (Access)
Serial0.100 ip unnumbered loopback0 PVC to Core3 (Access)
Ethernet0 10.2.1.1/24 Edge2 LAN
Pagent Loopback0
Ethernet0 172.16.255.254/24 Core1, Core4, Dinghy
Ethernet1 10.3.1.254/24 Core4
Table 4.2 Lab Network - IP Address Assignment
Concept: November 24, 2002 24
Lab Network Logical Design
18
4.2.1 MPLS
Unsupported MPLS images on c2500; AYAME code on NetBSD box;
TODO: config principle and examples
Concept: November 24, 2002 25
Lab Network Logical Design
19
4.2.2 IPv6
The IPv6 network shall provide robust IPv6 transport service for whole networks. Solutions targetingindividual host systems or infrequently communicating systems, such as tunnel broker or automatictunnels, are not being implemented.
Topology
The IPv6 overlay network uses a partly-meshed, hierarchical design. Hierarchical network designseparates a topology into discrete layers with each layer focusing on a specific set of functions. Typicallayers found in hierarchical networks are core layer, distribution layer, and access layer. The lab networksuses a two layer hierarchy. All edge routers are connected to two IPv6 core routers (Anchor and Dinghy).
Figure 4.3 on page 24 shows an overview of the network.
Physical Design
The IPv6 test network uses Cisco routers and routers based on NetBSD and Zebra software.
Today Cisco has probably the most comprehensive IPv6 solution. Since Cisco routers are widely deployedit can be assumed that they will play a dominant role in future IPv6 networks as well.
Zebra (http://www.zebra.org) is the only routing software that is freely available today and activelydeveloped. GateD routing software (http://www.gated.org) is no longer available to the public andit does not support IPv6. MRT routing software (http://www.merit.edu/mrt) does support IPv6 butis no longer actively developed. Therefore Zebra routing software is used in the IPv6 test network.NetBSD (http://www.netbsd.org) was chosen as platform because it includes the IPv6 implementationof the KAME project (http://www.kame.net) in its default distribution.
A mixture of both tunneling6 and IPv6-enabled data links are used to create the network.
The following routers are used in the IPv6 network:
• Core routers:
− Anchor
− Dinghy
• Edge routers:
− Edge1
− Edge2
− Core4 (IPv4 core router)
Addressing
The laboratory network uses IPv6 addresses from the “site local” address space. Site local addressesare functionally equivalent to RFC 1918 addresses in the IPv4 world.
Tunneling is encapsulation of IPv6 packets in IPv4 packets so that they can be transported over IPv4-only networks.6
Concept: November 24, 2002 26
Lab Network Logical Design
20
Tunnels are configured with “link local” addresses. Global IPv6 addresses are not configured on point-to-point links because we want to minimize the configuration.7 On Cisco routers tunnel interfaces areconfigured with ip unnumbered loopback 0 to allow IPv6 ping from a router.
Routing
A dynamic routing protocol is used to propagate IPv6 routing information. An architecture based entirelyon static routing is only appropriate for small networks that change infrequently. However, static routesare used for special cases, such as loopback interfaces of next-hop routers, or stub networks connectedvia a single link.
Cisco IOS software supports static routing, RIP, ISIS and multi-protocol BGP (MP-BGP) for IPv6routing.
Zebra routing software supports static routing, RIP, OSPF and multi-protocol BGP for IPv6 routing.8
RIP is the only IGP (Interior Gateway Protocol) Cisco IOS and Zebra routing software have in common.Since RIP is not suitable for use in wide area networks the only dynamic IPv6 routing protocol availableis multi-protocol BGP. Therefore the IPv6 network uses multi-protocol BGP for propagation of IPv6routing information. Private AS 65000 is used for iBGP.
Multi-protocol BGP routes will be redistributed into RIP at the edge and advertised to local areanetworks by RIP. IPv6 routes are not learned via RIP and RIP derived routes are not redistributed intoMP-BGP.
IPv6 routers in the lab use internal BGP (iBGP) to exchange routing information. iBGP requires afull-mesh between all iBGP speakers, which limits network scalability (n2 problem). A solution is usingroute reflectors for iBGP peering. Route reflectors can be either in the forwarding path or dedicatedmachines. At least two route reflectors are recommended for redundancy purposes.
Router Anchor and Dinghy are used as route reflectors for iBGP. All BGP-speaking edge routers (Edge1,Edge2) peer with both route reflectors.
Since IPv6 edge router Core4 shares an Ethernet with router Dinghy, RIPv6 is used between theminstead of iBGP. Please note that Dinghy does not learn IPv6 networks offered by Core4 via RIP. Staticroutes towards this networks are defined on Dinghy and redistributed into BGP. That way the otherrouters (Anchor, Edge1, Edge2) learn the networks attached to Core4. On Dinghy BGP derived routesare redistributed into RIP and thus made available to router Core4.
Figure 4.4 on page 25 shows an overview of the routing architecture.
Please bear in mind the following:
• Use redistribute static on route reflectors to propagate next-hop address of directly attachededge router to other edge routers.
• Do not use peer groups on route reflectors for route reflector clients.9
• Use either distance or distribute-list in to prevent learning of routes via RIP.
Remember that the lab shall provide a quick way to build specific test environments. Adding IPv6 addresses to unnumbered7
links is easier then removing old addresses prior to adding new ones. The same reason dictates use of ip unnumbered onIPv4 point-to-point links.There is an ISISd project (http://isisd.sourceforge.net/) which has been started in May 2001. The project aims to8
implement ISIS on the Zebra platform. Currently ISISd is not integrated in Zebra, it is available as patch against Zebrasource code.Stolen from Halabis BGP book: “Route reflectors can be used in conjunction with peer groups only when the clients of9
a route reflector are fully meshed. The reasoning is as follows: in a normal situation, a router A that learns a prefix fromrouter B will send a WITHDRAW message back to that router to poison that route. In other words, router A is tellingB that this prefix is not reachable via A. This is to prevent a situation where A claims that a prefix is reachable via B,
Concept: November 24, 2002 27
Lab Network Logical Design
21
Host Access
IPv6 end systems can be configured either manually or automatically. A major benefit of IPv6 is theavailability of address auto-configuration for host systems.
Automatic host configuration for IPv6 can be done in two ways, using either stateless auto-configurationor DHCPv6. Stateless auto-configuration is used in the IPv6 test network because NetBSD does notsupport DHCPv6.
Stateless auto-configuration requires that a router on a connected network emits periodically ICMPv6“router advertisement” messages. These messages contain information such as IPv6 sub-network prefixand default router.
An end system listens to router advertisement messages to get its global IPv6 address and the defaultrouter. Hosts can also trigger router advertisements by sending an ICPMv6 “router solicitation” message.
Stateless auto-configuration is used in the IPv6 lab network.
and B claims it is reachable via A. In a peer group the same UPDATE or WITHDRAW message is sent to all membersof the group. In a peer group/route reflector situation, a route reflector that has learned a prefix from one of its clientsand is trying to poison that route will end up withdrawing that prefix from all the other clients. Because the clients arenot talking to each other via BGP, that prefix will be lost.”
Concept: November 24, 2002 28
Lab Network Logical Design
22
c2501Core3
8MB Flash16MB DRAM
c4500mPagent
32MB DRAM16MB Flash
c2501Core2
8MB Flash16MB DRAM
Eth1
SGI IndyDinghy
64MB DRAM2GB HDD
c2503Edge2
16MB Flash16MB DRAM
Ser0
Ser1
c2501Core1
8MB Flash16MB DRAM
Ser1
Ser0
300
300
Ser1
Ser0
100
100
200
200
100
100
$Id: static-lab-physical-design.graffle,v 1.7 2002/10/19 15:53:39 markus Exp $
Static Laboratory Network - Physical Design
http
://ww
w.br
est-l
ab.n
et
c2501Edge1
16MB Flash16 MB DRAM
Ser1
Ser0
Ser1
Ser0
back-to-back cable
back-to-back cable
back-to-back cable
back-to-back cable
FR: DTE
FR: DCE
FR: NNI
FR: NNI
FR: NNI
FR: NNI
FR: DCE
FR: DTE
Phy: DTE
Phy: DCE
Phy: DCE
Phy: DTE
Phy: DCE
Phy: DTE
Phy: DCE
Phy: DTE
DLCI
DLCI
Frame Relay PVC
100
100
100
100
i386Core4
48MB DRAM4GB HDD
rtk0
Eth
0E
th0
Eth0
Eth0
Eth0
ne2
sq0
Eth
0DEC AS200
Anchor128MB DRAM
9GB HDD
tlp0
ep0
400
400
rtk1
Figure 4.1 Lab Network - Physical Design
Concept: November 24, 2002 29
Lab Network Logical Design
23
<int
>
<int
>
Area
0
Area
10.
1.1.
0
<int
>Ar
ea 1
0.2.
1.0
<int
>Ar
ea 1
0.3.
1.0
IPv4
: 10.
3.1.
1/24
IPv4
: 10.
1.1.
1/24
IPv4
: 172
.16.
254.
2/24
IPv4
: 10.
2.1.
1/24
IPv4
: 172
.16.
255.
4/24
IPv4
: 172
.16.
255.
1/24
IPv4
: 172
.16.
255.
2/24
IPv4
: 172
.16.
3.2/
30
$Id:
sta
tic-la
b-lo
gica
l-des
ign.
graf
fle,v
1.9
200
2/10
/19
15:5
9:33
mar
kus
Exp
$
Stat
ic La
bora
tory
Net
work
- IP
v4 L
ogica
l Des
ign
http://www.brest-lab.net
c250
1Co
re1
IOS-
MPL
S
c250
1Co
re2
IOS-
MPL
S
c250
1Co
re3
IOS-
MPL
S
c250
1Ed
ge1
IOS-
Edge
c250
3Ed
ge2
IOS-
Edge
i386
Core
4Ne
tBSD
-MPL
S
DEC
AS20
0An
chor
NetB
SD-C
ore
SGI I
ndy
Ding
hyNe
tBSD
-Cor
e
loop
0
tlp0
loop
0
s0.3
00s0
.100
loop
0
loop
0
Fram
e Re
lay
PVC
use
"ip u
nnum
bere
d"
IPv4
: 172
.16.
3.1/
30
IPv4
: 172
.16.
0.1/
32
IPv4
: 172
.16.
0.2/
32
IPv4
: 172
.16.
0.3/
32
IPv4
: 172
.16.
0.11
/32
IPv4
: 172
.16.
254.
254/
24
IPv4
: 172
.16.
0.12
/32
256k
bps
Fram
e Re
lay
10m
bps
Ethe
rnet
64kb
psFr
ame
Rela
y
s0.1
00
eth0
s1.1
00
s1.1
00s0
.100
s1.200
s0.200
s0.100
s1.3
00s1
.100
eth0
eth0
loop
0
ne2
eth0
eth0
s1.1
00
rtk0
sq0
rtk1
s1.4
00
s0.400
Figure 4.2 Lab Network - Logical Design
Concept: November 24, 2002 30
Lab Network Logical Design
24
Link
loca
lad
dres
ses
are
used
on
tunn
elin
terfa
ces.
IPv6
: fef
e:d:
:1/6
4
IPv6
: fef
e:e1
::1/6
4IP
v6: f
efe:
e2::1
/64
IPv6
: fef
e:e3
::1/6
4
IPv6
: fef
e::e
1/12
8IP
v6: f
efe:
:e2/
128
IPv6
: fef
e::e
3/12
8
IPv6
: fef
e::d
/128
$Id:
sta
tic-la
b-lo
gica
l-des
ign-
inet
6.gr
affle
,v 1
.10
2002
/10/
24 1
3:16
:41
mar
kus
Exp
$
Stat
ic La
bora
tory
Net
work
- IP
v6 L
ogica
l Des
ign
http://www.brest-lab.net
Core
1
Core
2Co
re3
Edge
1Ed
ge2
Core
4
Anch
orDi
nghy
s0.100
eth0
s1.100
loop
0
s1.1
00s0
.100
s1.200s0.200
s0.1
00s1
.300
s1.1
00
eth0
eth0
lo0
tlp0
loop
0
loop0
ne2
eth0
eth0
s0.3
00s0
.100
s1.1
00
rtk0
loop
0lo
op0
lo0
<int
>
<int
>
<int
>
IPv4
onl
yIP
v4 a
nd IP
v6IP
v6 o
nly
IPv6
: fef
e::a
/128
lo0
IPv6
: fef
e:a:
:1/6
4rtk
1
s1.2
00
s0.2
00
gif3
IPv6
: fef
e:d:
:2/6
4sq
0
tun1
tun0
gif0
gif2gif1gif2
gif1gif0
tun1
tun0
IPv6
: fef
e:bb
:d::1
/126
IPv6
: fef
e:bb
::1/1
26IP
v6: f
efe:
bb::2
/126
Figure 4.3 Lab Network - IPv6 Logical Design
Concept: November 24, 2002 31
Lab Network Logical Design
25
redi
strib
ute
IPv6
: fef
e:d:
:2/6
4
stat
eles
s au
to-c
onfig
Host
stat
eles
s au
to-c
onfig
Host
stat
eles
s au
to-c
onfig
Host
redi
strib
ute
redi
strib
ute
IPv6
: fef
e::d
/128
$Id:
sta
tic-la
b-lo
gica
l-des
ign-
inet
6-ro
utin
g.gr
affle
,v 1
.6 2
002/
10/2
1 09
:31:
31 m
arku
s Ex
p $
Stat
ic La
bora
tory
Net
work
- IP
v6 R
outin
g
http://www.brest-lab.net
Edge
2RR
Clie
nt
Ding
hyRo
ute
Refle
ctor
lo0
gif1
gif2
sq0
gif0
eth0
loop
0
tun1
Edge
1RR
Clie
nt eth0
tun1
Core
4 ne2
rtk1
lo0
iBG
P
RIPv
6
iBG
P
Anch
orRo
ute
Refle
ctor
tlp0
lo0
gif1
gif2
gif0
tun0
loop
0
tun0
IPv6
: fef
e:e2
::1/6
4IP
v6: f
efe:
:e2/
128
IPv6
: fef
e:e1
::1/6
4IP
v6: f
efe:
:e1/
128
IPv6
: fef
e:e3
::1/6
4IP
v6: f
efe:
:e3/
128
IPv6
: fef
e:a:
:1/6
4
IPv6
: fef
e::a
/128
iBG
PiB
GP
RIPv
6iB
GP
stat
eles
sau
to-c
onfig
Link
loca
lad
dres
ses
are
used
on
tunn
elin
terfa
ces.
AS 6
5000
is u
sed
for i
BGP.
IPv6
: fef
e:d:
:1/6
4
Figure 4.4 Lab Network - IPv6 Routing
Concept: November 24, 2002 32
Lab Network Logical Design
26
IPv4
: 10.
3.1.
1/24
IPv4
: 10.
1.1.
1/24
<int
>
<int
>
MPL
S
IPv4
IPv4
: 172
.16.
254.
2/24
IPv4
: 10.
2.1.
1/24
IPv4
: 172
.16.
255.
4/24
IPv4
: 172
.16.
255.
1/24
IPv4
: 172
.16.
255.
2/24
IPv4
: 172
.16.
3.2/
30
$Id:
sta
tic-la
b-lo
gica
l-des
ign-
mpl
s.gr
affle
,v 1
.1 2
002/
10/1
1 21
:00:
02 m
arku
s Ex
p $
Stat
ic La
bora
tory
Net
work
- M
PLS
Logi
cal D
esig
n
http://www.brest-lab.net
c250
1Co
re1
IOS-
MPL
S
c250
1Co
re2
IOS-
MPL
S
c250
1Co
re3
IOS-
MPL
S
c250
1Ed
ge1
IOS-
Edge
c250
3Ed
ge2
IOS-
Edge
i386
Core
4Ne
tBSD
-MPL
S
DEC
AS20
0An
chor
NetB
SD-C
ore
SGI I
ndy
Ding
hyNe
tBSD
-Cor
e
loop
0
tlp0
loop
0
s0.3
00s0
.100
loop
0
loop
0
Fram
e Re
lay
PVC
use
"ip u
nnum
bere
d"
IPv4
: 172
.16.
3.1/
30
IPv4
: 172
.16.
0.1/
32
IPv4
: 172
.16.
0.2/
32
IPv4
: 172
.16.
0.3/
32
IPv4
: 172
.16.
0.11
/32
IPv4
: 172
.16.
254.
254/
24
IPv4
: 172
.16.
0.12
/32
256k
bps
Fram
e Re
lay
10m
bps
Ethe
rnet
64kb
psFr
ame
Rela
y
s0.1
00
eth0
s1.1
00
s1.1
00s0
.100
s1.200
s0.200
s0.100
s1.3
00s1
.100
eth0
eth0
loop
0
ne2
eth0
eth0
s1.1
00
rtk0
sq0
rtk1
s1.2
00
s0.200
Figure 4.5 Lab Network - MPLS Logical Design
Concept: November 24, 2002 33
27
5 Network Services
5.1 DNS
Hosts Anchor an Dinghy provide name service for IPv4 and IPv6 systems in the lab network. Bothmachines use DJBDNS instead of BIND. An configuration example can be found in on page 153ff.
5.2 FTP and TFTP
TBD
5.3 Logging
TBD
5.4 NTP
Host Anchor play the role of the labs NTP servers using. All lab routers peer with each other and hostsDinghy and Anchor. Configuration commands can be found pages 54 (router), 73 (Anchor), and 74(Dinghy).
5.5 Printing
TBD
5.6 netdb (http://www.net.cmu.edu/netreg/)
TBD
5.7 VideoLAN (www.videolan.org)
TBD -¿ Probably interesting for multicast labs.
5.8 Kismet (www.kismetwireless.net)
Concept: November 24, 2002 34
Network Services Network Verification Toolkit
28
TBD
5.9 Network Verification Toolkit
The following sections describe tools that can be used to verify correct operation of lab networks.
5.9.1 Some Tools that come with IOS
Service Assurance Agent
Service Assurance Agent (SAA) is a new name for the Response Time Reporter (RTR) feature that wasintroduced in Cisco IOS release 11.2. The feature allows monitoring network performance by measuringkey Service Level Agreement (SLA) metrics such as response time, network resources, availability, jitter,connect time, packet loss and application performance.
The following example shows an implementation of ping probes on a router. No configuration is requiredon the remote routers.
LER12#wr tBuilding configuration...
<snip>
rtr 11type echo protocol ipIcmpEcho 172.16.0.11rtr schedule 11 life forever start-time now!rtr 12type echo protocol ipIcmpEcho 172.16.0.12rtr schedule 12 life forever start-time now!rtr 13type echo protocol ipIcmpEcho 172.16.0.13rtr schedule 13 life forever start-time now!rtr 14type echo protocol ipIcmpEcho 172.16.0.14rtr schedule 14 life forever start-time now
<snip>
The following output shows maximum (TMax) and minimum (TMin) round-trip times.
LER12#sho rtr distributions-statisticsCaptured Statistics
Entry = Entry NumberStartT = Start Time of Entry (hundredths of seconds)Pth = Path Index
Concept: November 24, 2002 35
Network Services Network Verification Toolkit
29
Hop = Hop in Path IndexDst = Time Distribution IndexComps = Operations CompletedOvrTh = Operations Completed Over ThresholdsSumCmp = Sum of Completion Times (milliseconds)SumCmp2L = Sum of Completion Times Squared Low 32 Bits (milliseconds)SumCmp2H = Sum of Completion Times Squared High 32 Bits (milliseconds)TMax = Completion Time Maximum (milliseconds)TMin = Completion Time Minimum (milliseconds)
Entry StartT Pth Hop Dst Comps OvrTh SumCmp SumCmp2L SumCmp2H TMax TMin11 2822284 1 1 1 60 0 668 8580 0 24 112 2819228 1 1 1 61 0 1268 28944 0 52 813 2819415 1 1 1 60 0 603 8523 0 32 114 2819590 1 1 1 61 0 719 11559 0 36 1
LER12#
Configuring a jitter probe is a bit more complex. A probe must be configured locally and a respondermust be configured on the remote router.
Configuration of the jitter probe on router A.
rtr 11type jitter dest-ipaddr 172.16.0.11 dest-port 2011 num-packets 20 interval 300rtr schedule 11 life forever start-time now
Configuration of the responder on router B.
rtr responder
Traffic Matrix Statistics
Traffic matrix statistics (TMS) is an IOS feature that enables capturing and analyzing traffic dataentering a backbone. By enabling a backbone router to gather traffic matrix statistics, you can determinethe amount of traffic that enters the backbone from sites outside of the backbone. You can alsodetermine the amount of traffic that is generated within the backbone. The traffic matrix statisticshelp you optimize and manage traffic across the backbone.
You can determine the amount of traffic the backbone handles by enabling a backbone router to trackthe number of packets and bytes that travel through it. You can separate the traffic into the categories“internal” (within scope of interest) and “external” (outside scope of interest). You separate the trafficby designating incoming interfaces on the backbone router as internal or external.
TMS data is counted during packet forwarding by CEF nonrecursive accounting, which is configured asdescribed below.
• Enable CEF on the router.
• Enable non-recursive accounting on the router.
• Set incoming interfaces to collect internal or external traffic. By default all interfaces are set asinternal.
Concept: November 24, 2002 36
Network Services Network Verification Toolkit
30
A minimum TMS configuration looks like this:
ip cefip cef accounting non-recursive!interface Multilink1ip cef accounting non-recursive external
You can access traffic matrix data either by using CLI or by reading the virtual files residing on therouter.
LER12#show ip cef 10.25.0.010.25.0.0/24, version 71, per-destination sharing0 packets, 0 bytestag information setlocal tag: 39
via 172.16.0.3, Serial3/0, 0 dependenciesnext hop 172.16.0.3, Serial3/0valid adjacencytag rewrite with Se3/0, point2point, tags imposed: {29}
218016 packets, 153301502 bytes switched through the prefixtmstats: external 0 packets, 0 bytes
internal 218016 packets, 153301502 bytes30 second output rate 46 Kbits/sec
LER12#
TMS data is stored in two files, tmstats_ascii (human readable format) and tmstats_binary (binaryformat).
LER12#dir system:/vfilesDirectory of system:/vfiles/
11 -r-- 0 <no date> tmasinfo9 -r-- 0 <no date> tmstats_ascii
10 -r-- 0 <no date> tmstats_binary
No space information availableLER12#more system:/vfiles/tmstats_asciiVERSION 1|ADDR 172.16.0.12|AGGREGATION TrafficMatrix.ascii|SYSUPTIME 39659|routerUTC 3246068423|NTP synchronized|DURATION 0|p|172.16.1.23/32|9384|418|29163|0|0p|172.16.254.0/24|9384|0|0|0|0p|172.16.254.11/32|9384|0|0|0|0p|172.16.254.100/32|9384|5040|254024|0|0<snip>
You can export TMS data from a router using the copy command.
LER12#copy system:/vfiles/tmstats_ascii ?ftp: Copy to ftp: file systemnull: Copy to null: file systemnvram: Copy to nvram: file systemrcp: Copy to rcp: file system
Concept: November 24, 2002 37
Network Services Network Verification Toolkit
31
running-config Update (merge with) current system configurationstartup-config Copy to startup configurationsystem: Copy to system: file systemtftp: Copy to tftp: file system
Concept: November 24, 2002 38
Network Services Network Verification Toolkit
32
5.9.2 Pagent
TODO: LNE templates for OSPF, BGP, and TGN
Pagent is a set of test tools, based on the Cisco IOS (Internetwork Operating System), and developedwithin Cisco. The test tools are included in special IOS Pagent images. The primary function of thePagent tool set is to provide cost effective test tools to the Cisco community.
Since the tools are based on production hardware and the IOS operating system, the tools are not ableto test the datalink level. They cannot affect frame checksums, preambles, inter frame gap times, orinject hardware failures.
There are limitations to the rates that Pagent tools can transmit and receive packets. Due to theprocessing power of the main CPU, not all IOS based devices are able to transmit packets at full mediarates.
The Pagent programs are best used for testing layer 3 protocols and above. That is, emulating routingprotocols, multicast, TCP sessions, HTTP sessions.
Pagent images have a security scheme to prevent illegal distribution outside Cisco. When an router isloaded with a Pagent image for the first time, it presents a machine Id that must be converted to alicense key. Once the license key is entered in the router, it is saved in the configuration so it is notrequired on subsequent downloads.
Pagent tools include:
• TGN (Traffic Generator) is used to define and send packets on any combination of supportedinterfaces on a router. The program has predefined templates to support the definition of specificpacket types. Packet lengths and the data in any header field can be set to constant, incrementingor random values. Packet definitions can be imported from the PKTS program capture buffer.
• PKTS (Packet Count and Capture) can capture and display incoming and/or outgoing packets fromany combination of interfaces on a router. It can fast-count packets, that is, it can count and discardpackets at higher rates than IOS counters can support. PKTS supports the creation of filters thatallow selective counting, capture or display
• Template Compiler provides a convenient high-level language for defining packet formats. It addsnew packet definitions to the Pagent tool set (TGN and PKTS) at run time and allows TGN trafficstreams and PKTS filters to be defined using the new formats. It allows the definition of multipledisplay methods that can be used to decode and display packets.
• Router Verified Traffic (RVT) and Control Verified Traffic (CVT) are used together to test bridgesand routers. CVT can automatically create numerous traffic streams between many Pagent routerinterfaces, for many different LAN media and network protocols. RVT can create modest levels ofverified traffic where every packet sent through the test network is validated for correct sequence,data integrity, and length. RVT can also create fast-unverified traffic.
• PMOD (Passthru Modify) allows a Pagent router to be inserted into a test network so test trafficpasses through the router and then allows the traffic packets to be modified. Depending on PMODfilters and configurations, the tool can selectively drop, alter, delay or timestamp packets. It alsoallows test packets to act as triggers and can recalculate test packet IP, TCP and UDP checksums.
• TCP Session Emulator (TCPSE) is a tool for generating TCP traffic. The tool provides configurablefeatures that enable a user to emulate various TCP application dialogs between a TCP client and a
Concept: November 24, 2002 39
Network Services Network Verification Toolkit
33
TCP server. It emulates multiple hosts establishing thousands of TCP connections. All these TCPsessions are short-lived, which is very typical for web or email traffic.
• HTTP Session Emulator (HTTPSE) is a tool for generating HTTP traffic. It emulates multipleHTTP clients establishing HTTP connections to a HTTP server. It generates all kinds of HTTPtraffic, including all kinds of HTTP requests and HTTP responses.
• FTP Session Emulator (FTPSE) is a TCP application for transferring files. The FTPSE ClientEmulator generates real FTP traffic and emulates FTP client sessions, which must talk to a realFTP server. Currently FTPSE only supports the client side in passive mode.
• Large Network Emulators (LNE) is comprised of six programs to support six routing protocols:BGP, OSPF, ISIS, EIGPR, IGRP and RIP. LNE is used to emulate routers that advertise large routernetworks. It can emulate hundreds of routers to emulate multiple peers to a router under test. Tostress the router under test, LNE can flap entire LNE routers, routes advertised by the LNE routersor route attributes.
LNE BGP
The following is a simple example of a BGP configuration on a Cisco router in a test network.
interface ethernet 0ip address 173.200.14.10 255.255.255.0router bgp 100
network 173.200.0.0neighbor 173.200.14.101 remote-as 101
The BGP process configuration on the Pagent router has to complement the IP addresses and autonomoussystem numbers configured on the router under test. The following commands will:
• Assign an IP address to the BGP process
• Identify the IP address of the destination router
• Assign an autonomous system number to the BGP process
• Identify the autonomous system number of the remote or destination router
• Add a group of networks to advertise
By default, a group advertises 100 networks or routes to networks. For this example, The value will belowered to 10 networks. These are the commands used to create and configure this BGP process:
c4700-pagent#lne bgpc4700-p(BGP:OFF,Et0:none)#ethernet1c4700-p(BGP:OFF,Et1:none)#add bgpc4700-p(BGP:OFF,Et1:1)#ip source 173.200.14.101c4700-p(BGP:OFF,Et1:1)#ip destination 173.200.14.10c4700-p(BGP:OFF,Et1:1)#autonomous-system 101c4700-p(BGP:OFF,Et1:1)#remote-as 100c4700-p(BGP:OFF,Et1:1)#add groupc4700-p(BGP:OFF,Et1:1-Grp1)#advert 10
Concept: November 24, 2002 40
Network Services Network Verification Toolkit
34
This results in the following configuration:
c4700-p(BGP:OFF,Et1:1-Grp1)#shBGP Process 1 of 1 with 1 group(s) advertising 10 networksname ""ondatalink lne-definedip source 173.200.14.101ip destination 173.200.14.10autonomous-system 101remote-as 100!random-as-range 200 to 65535disallow duplicate-as ondisallow own-as on!router-flap offrouter-flap duration on 600 to 1200 secondsrouter-flap duration off 300 to 600 secondsverbose onflapping onheader-definition off!group 1group name ""advertise 10 networksnetwork start 34.1.1.0network subnetmask 255.255.255.0network per-nlri 10next-hop ip-sourceorigin EGP Flap offAS_SEQ 3 to 7 Flap offAS_SET 0 to 3 Flap offMED 1000 to 3000 Flap offPref 10000 to 100000 Flap offwithdraw Flap offdefine AS_SEQ offdefine AS_SET offatomic-aggregate offaggregator offcommunity attribute offoriginator-id offcluster-list attribute offfreeform attribute off
With the verbose on command, the process posts activity messages when BGP packets are sent orreceived. When this LNE BGP configuration is started, the following appears on the console:
c4700-p(BGP:OFF,Et1:1-Grp1)#start- ON: BGP Processes Started.
Concept: November 24, 2002 41
Network Services Network Verification Toolkit
35
c4700-p(BGP:ON,Et1:1-Grp1)#BGP 173.200.14.101: Starting process #1 on Ethernet1.BGP 173.200.14.101: Send Arp Request.BGP 173.200.14.101: Send TCP SYN.BGP 173.200.14.101: Send TCP SYN.BGP 173.200.14.101: Send BGP Open.BGP 173.200.14.101: Recv BGP Open from 173.200.14.10BGP 173.200.14.101: Send Group 1 Updates.BGP 173.200.14.101: Recv BGP Update from 173.200.14.10
If you enter the command show ip route bgp at the console of the router under test, you should see the10 routes or subnets that were advertised by the LNE BGP process. For example:
Edge1#show ip route bgp34.0.0.0/24 is subnetted, 10 subnets
B 34.1.3.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.2.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.1.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.7.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.6.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.5.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.4.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.10.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.9.0 [20/2311] via 173.200.14.101, 00:00:04B 34.1.8.0 [20/2311] via 173.200.14.101, 00:00:04Edge1#
These are the console messages when the program is stopped:
c4700-p(BGP:ON,Et1:1-Grp1)#stop--- Please wait until all BGP TCP circuits are closed.BGP 173.200.14.101: Send TCP FIN #1.BGP 173.200.14.101: Recv TCP Close from 173.200.14.10
- OFF: BGP Processes Stopped.c4700-p(BGP:OFF,Et1:1-Grp1)#
LNE OSPF
The following is a simple example of an OSPF configuration on a Cisco router in a test network. SettingSPF (shortest path first) timers to stress test the router under test is optional.
interface Ethernet2ip address 192.21.2.2 255.255.255.0no shutdown
!router ospf 700
timers spf 0 0network 192.21.2.0 0.0.0.255 area 0
The OSPF process configuration on the Pagent router must complement the IP addresses configuredon the router under test. The following commands will:
Concept: November 24, 2002 42
Network Services Network Verification Toolkit
36
• Select the LNE OSPF program command prompt
• Select the Ethernet2 interface
• Create an OSPF EASY process
• Assign an IP address to the process that is in the same subnet as the interface of the RUT
• Configure the OSPF process to advertise 20 networks
• Turn on basic program messages
These are the commands used to create and configure the OSPF process:
a4700a-pagent#lne ospfa4700a-(OSPF:OFF,Et0:none)#et2a4700a-(OSPF:OFF,Et2:none)#add ez-ospfa4700a-(OSPF:OFF,Et2:1/1)#ip source 192.21.2.5a4700a-(OSPF:OFF,Et2:1/1)#advertise 20a4700a-(OSPF:OFF,Et2:1/1)#verb ona4700a-(OSPF:OFF,Et2:1/1)#
This results in the following configuration:
a4700a-(OSPF:OFF,Et2:1/1)#shoOSPF Process 1 of 1! This is an OSPF-EASY process!name ""on!datalink lne-definedip source 192.21.2.5id 1.1.1.1subnet-mask 255.255.255.0area 0.0.0.0!hello-interval 10dead-interval 40network-type broadcast!advertise 20network start 193.0.0.0network subnetmask 255.255.255.0!interface-metric 10 to 10cluster-link-type broadcastauthentication offtraffic-eng off!summary-links quantity 0!
Concept: November 24, 2002 43
Network Services Network Verification Toolkit
37
external-links quantity 0!nssa-links quantity 0!withdraw-flap offwithdraw-flap 1 2link-flap offlink-flap 0 2!convergence-test offconvergence-test destination 0.0.0.0convergence-test packet-interval 10convergence-test delay-next 1convergence-test verbose off!verify-test offverify-test current-tableverify-test batch-size 100verify-test batch-interval 100verify-test max-timeout 60verify-test verbose off!router-flap offrouter-flap duration on 600 to 1200 secondsrouter-flap duration off 300 to 600 secondsupdate rate 50 ppsupdate interval 1800 secondsverbose onheader-definition off
With the verbose on command, the process posts activity messages when OSPF packets are sent orreceived. When this LNE OSPF configuration is started, the following appears on the console:
a4700a-(OSPF:OFF,Et2:1/1)#start*** OSPF 192.21.2.5 now looking for designated routers.
- ON: OSPF Processes Started.a4700a-(OSPF:ON,Et2:1/1)#OSPF Found Designated Router 192.21.2.2, ID 192.21.0.2 on Ethernet2.OSPF 192.21.2.5 Starting.OSPF 192.21.2.5 send OSPF Database Description, Router:0.OSPF 192.21.2.5 send OSPF Database Description, Router:1.OSPF 192.21.2.5 send OSPF Database Description, Router:2.OSPF 192.21.2.5 send OSPF Database Description, Router:3.OSPF 192.21.2.5 send OSPF Database Description, Router:4.OSPF 192.21.2.5 send OSPF Database Description, Router:5.OSPF 192.21.2.5 send OSPF Database Description, Router:6.OSPF 192.21.2.5 send OSPF Database Description, Router:7.OSPF 192.21.2.5 send OSPF Database Description, Router:8.OSPF 192.21.2.5 database exchange complete
a4700a-(OSPF:ON,Et2:1/1)#
Concept: November 24, 2002 44
Network Services Network Verification Toolkit
38
On the console of the router under test you should see an OSPF adjacency change message. If youenter the command show ip ospf neighbor at the router, you should see one neighbor in the FULLstate, which is the LNE OSPF process. If you enter the command show ip route ospf at the routerunder test, you should see the 20 routes or networks that were advertised by the LNE OSPF process.For example:
b4700a-pagent#2w6d: %OSPF-5-ADJCHG: Process 700, Nbr 1.1.1.1 on Ethernet2 from LOADING to FULL,Loading Doneb4700a-pagent#sho ip ospf neighbourNeighbor ID Pri State Dead Time Address Interface1.1.1.1 0 FULL/DROTHER 00:00:35 192.21.2.5 Ethernet2b4700a-pagent#b4700a-pagent#sho ip route ospfO 193.0.13.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.12.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.15.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.14.0/24 [110/60] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.9.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.8.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.11.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.10.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.5.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.4.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.7.0/24 [110/30] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.6.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.1.0/24 [110/30] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.16.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.17.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.0.0/24 [110/20] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.3.0/24 [110/40] via 192.21.2.5, 00:01:53, Ethernet2O 193.0.18.0/24 [110/50] via 192.21.2.5, 00:01:53, Ethernet2O 193.0.19.0/24 [110/50] via 192.21.2.5, 00:01:53, Ethernet2O 193.0.2.0/24 [110/30] via 192.21.2.5, 00:01:53, Ethernet2
These are the console messages when the program is stopped:
a4700a-(OSPF:ON,Et2:1/1)#stop- OFF: OSPF Processes Stopped.
a4700a-(OSPF:OFF,Et2:1/1)#
TGN
The following configuration statements create a traffic stream from router PAGENT1 to dummy nodesin EDGE2-LAN. Router PAGENT2 acts as ARP responder providing MAC addresses for ARP requeststo dummy nodes. Please see also figure on page XXX.
The traffic flow uses 64 byte, 570 byte, 1518 byte IP packets with 7:4:1 distribution (imix).
Create ARP responder on router PAGENT2:
Concept: November 24, 2002 45
Network Services Network Verification Toolkit
39
eth <interface>add arp respondername "EDGE2-LAN"ip-address 10.22.0.2 to 10.22.0.253mac-address <MAC-PAGENT2>
Create 64 byte flow on router PAGENT1:
eth <interface>add ipname "PAGENT1-to-EDGE2-64byte"rate 70length 64l2-encapsulation arpal2-dest-addr <MAC-EDGE1>l2-src-addr <MAC-PAGENT1>l2-protocol 0x0800l3-tos random 0x00 to 0x07l3-dest-addr random 10.22.0.2 to 10.22.0.253l3-src-addr random 10.21.0.2 to 10.21.0.253
Create 570 byte flow on router PAGENT1:
eth <interface>add ipname "PAGENT1-to-EDGE2-570byte"rate 40length 570l2-encapsulation arpal2-dest-addr <MAC-EDGE1>l2-src-addr <MAC-PAGENT1>l2-protocol 0x0800l3-tos random 0x00 to 0x07l3-dest-addr random 10.22.0.2 to 10.22.0.253l3-src-addr random 10.21.0.2 to 10.21.0.253
Create 1518 byte flow on router PAGENT1:
eth <interface>add ipname "PAGENT1-to-EDGE2-1518byte"rate 10length 1518l2-encapsulation arpal2-dest-addr <MAC-EDGE1>l2-src-addr <MAC-PAGENT1>l2-protocol 0x0800l3-tos random 0x00 to 0x07l3-dest-addr random 10.22.0.2 to 10.22.0.253l3-src-addr random 10.21.0.2 to 10.21.0.253
Check traffic generation:
Concept: November 24, 2002 46
Network Services Network Verification Toolkit
40
PAGENT1(TGN:ON,Et1/0:4/4)#show ip
Summary of IP traffic streams on Ethernet1/0ts# tos len id frag ttl protocol chksm source destination2 IP 00 20 0000 0000 60 0 6AB8 10.21.0.2 10.22.0.23 IP 00 20 0000 0000 60 0 6AB8 10.21.0.2 10.22.0.24 IP 00 20 0000 0000 60 0 6AB8 10.21.0.2 10.22.0.2
PAGENT1(TGN:ON,Et1/0:4/4)#PAGENT1(TGN:ON,Et1/0:4/4)#show rate
The rates are since traffic generation was started.
Summary of traffic stream rates on Ethernet1/0measured
ts# template state repeat interval/rate interval/rate packets_sent2 IP on 1 70 pps 3.216 1340713 IP on 1 40 pps 3.216 1340684 IP on 1 10 pps 3.216 134067
Totals for Ethernet1/0 9.649 402206
PAGENT1(TGN:ON,Et1/0:4/4)#
Concept: November 24, 2002 47
Network Services Network Verification Toolkit
41
IP: 10.21.0.0/24
PAGENT2
EDGE2
EDGE1
PAGENT1
eth0
eth0
eth0
eth0
IP: 10.22.0.0/24
<MAC-PAGENT2>IP: 10.22.0.1
<MAC-PAGENT1>IP:10.21.0.254
<MAC-EDGE2>IP: 10.22.0.254
<MAC-EDGE1>IP: 10.21.0.1
eth 0add arp respondername "EDGE2-LAN"ip-address 10.22.0.2 to 10.22.0.253mac-address <MAC-PAGENT2>
eth 0add ipname "PAGENT1-to-EDGE2-64byte"rate 70length 64l2-encapsulation arpal2-dest-addr <MAC-EDGE1>l2-src-addr <MAC-PAGENT1>l2-protocol 0x0800l3-tos random 0x00 to 0x07l3-dest-addr random 10.22.0.2 to 10.22.0.253l3-src-addr random 10.21.0.2 to 10.21.0.253
Traffic Stream
Figure 5.1 Pagent TGN
Concept: November 24, 2002 48
Network Services Network Verification Toolkit
42
5.9.3 Expect
Expect script rtr3 can be used to execute commands on a router. The script can be found on page107.
Figure 5.2 Expect script rtr3
Concept: November 24, 2002 49
Network Services Network Verification Toolkit
43
5.9.4 Ploticus
Sometimes it is interesting to monitor CPU and memory utilization during an experiment. The followingprocedure allows creating CPU and memory graphs covering a time period of a few hours.
The procedure involves gathering router data using cron and an Expect script (rtr3). The data isgraphed using the Ploticus software (http://ploticus.sourceforge.net/).
zerberus.sh is a shell script that is executed by cron every five minutes. The script invokes rtr3 tocollect data from a router and store it a log file. It can be found on page 101ff.
cpu.pl is a Ploticus script that generates a CPU graph from the log file. It can be found on page101ff.
mem.pl is a Ploticus script that generates a memory graph from the log file. It can be found on page101ff.
Example graphs can be found on page 43 and 44.
Figure 5.3 Example of a Ploticus CPU utilization graph
Concept: November 24, 2002 50
Network Services Network Verification Toolkit
44
Figure 5.4 Example of a Ploticus memory utilization graph
Concept: November 24, 2002 51
Network Services Network Verification Toolkit
45
5.9.5 NRFU
• Table of FR PCVs
• CDP table
• OSPF table
• IS-IS table
• BGP
Concept: November 24, 2002 52
Network Services Network Verification Toolkit
46
5.9.6 Cricket and RRDTool
TBD
Concept: November 24, 2002 53
Network Services Network Verification Toolkit
47
5.9.7 MRTG
MRTG (http://www.mrtg.org) has been deployed as another method of monitoring CPU and memoryutilization during an experiment.
MRTG is installed on node Dinghy (from NetBSD pkgsource). MRTG configuration files are placed inthe directory /home/mrtg. MRTG generated files are placed in subdirectories of /home/mrtg/public_html.They can be access via the URL http://dinghy.brest.lab.
Templates for CPU and memory configuration files are stored in a RCS repository in /home/mrtg.
Monitoring a new router requires the following steps:
• Check out the files router_name-cpu_mrtg.conf and router_name-memory_mrtg.conf
• Individualize and rename the files router_name-cpu_mrtg.conf and router_name-memory_mrtg.conf
• Add the files <ROUTER_SHORT_NAME>-cpu_mrtg.conf and <ROUTER_SHORT_NAME>-memory_mrtg.confto mrtg.conf
• Create the directory /home/mrtg/public_html/<ROUTER_SHORT_NAME>
• Start or restart MRTG
Example configuration files can be found on page 104.
Example graphs can be found on page 48, 49 and 50.
Concept: November 24, 2002 54
Network Services Network Verification Toolkit
48
Figure 5.5 Example of a MRTG CPU utilization graph
Concept: November 24, 2002 55
Network Services Network Verification Toolkit
49
Figure 5.6 Example of a MRTG memory utilization graph
Concept: November 24, 2002 56
Network Services Network Verification Toolkit
50
Figure 5.7 Example of a MRTG free memory graph
Concept: November 24, 2002 57
Network Services Network Verification Toolkit
51
5.9.8 Ethereal (www.ethereal.com)
TBD
5.9.9 Etherape (etherape.sourceforge.net)
TBD
Concept: November 24, 2002 58
Network Services Authentication Services
52
5.10 Authentication Services
5.10.1 RADIUS
Host Dinghy provides RADIUS authentication service for lab routers. It runs the Cistron RADIUSdaemon (radiusd-cistron-1.6.6), which was installed from NetBSD package source. RADIUS configurationfiles reside in /usr/pkg/etc/raddb. Example configuration files can be found on page RADIUS isstarted using daemontools.
[email protected]# ll /service | grep radiusdlrwxr-xr-x 1 root wheel 20 Oct 1 17:41 radiusd -> /usr/pkg/etc/[email protected]#[email protected]# cat /service/radiusd/run#!/bin/shexec /usr/pkg/sbin/radiusd /usr/pkg/sbin/radiusd -f -s -d /usr/pkg/etc/raddb -p [email protected]#
Configuration commands for Cisco routers can be found on page xxx.
Concept: November 24, 2002 59
Network Services Security Toolkit
53
5.11 Security Toolkit
• Portsentry and Logcheck
• Nessus (www.nessus.org)
• Snort and Logsnorter (www.snort.org)
• Analysis Console for Intrusion Databases (ACID) (www.cert.org/kb/acid)
• nmap
Concept: November 24, 2002 60
54
A Configuration Log
A.1 Basic IPv4 Configuration
Router configuration files are split into device specific and common files. Device specific files configuremainly the transport and routing aspects. Common files configure generic functions such as NTP,SNMP, and administrative access.
A.1.1 Common Configuration - NTP, SNMP, Administrative Access
! $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $!! Generic commands, administrative access etc.!interface loopback1description $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $!ip telnet source-interface Loopback0ip tftp source-interface Loopback0ip ftp source-interface Loopback0!ip domain-name brest.labip name-server 172.16.254.2 172.16.255.2!logging trap debugginglogging facility local4logging source-interface Loopback0logging 172.16.255.2!access-list 1 remark Hosts in this list are allowed telnet/SNMP accessaccess-list 1 permit 172.16.0.0 0.0.0.255access-list 1 permit 172.16.254.0 0.0.0.255access-list 1 permit 172.16.255.0 0.0.0.255!snmp-server community Brest-Lab RO 1!line vty 0 4access-class 1 intransport input telnet!ntp peer 172.16.0.1 source Loopback0 ! Core1ntp peer 172.16.0.2 source Loopback0 ! Core2ntp peer 172.16.0.3 source Loopback0 ! Core3ntp peer 172.16.0.11 source Loopback0 ! Edge1
Concept: November 24, 2002 61
Configuration Log Basic IPv4 Configuration
55
ntp peer 172.16.0.12 source Loopback0 ! Edge2ntp peer 172.16.3.2 source Loopback0 ! Edge3ntp peer 172.16.255.2 source Loopback0 ! Dinghyntp server 172.16.254.2 source Loopback0 prefer ! Anchor
Concept: November 24, 2002 62
Configuration Log Basic IPv4 Configuration
56
A.1.2 Common Configuration - RADIUS
Two configuration files are provided here because IOS 12.0 is configured differently from IOS 12.2.
! $Id: common-radius-confg,v 1.2 2002/10/25 14:16:26 markus Exp $! RADIUS IOS 12.2!interface loopback2description $Id: common-radius-confg,v 1.2 2002/10/25 14:16:26 markus Exp $!aaa new-modelaaa authentication login LOCAL_AUTH localaaa authentication login RADIUS_AUTH group radius localaaa authentication enable default group radius enableaaa accounting send stop-record authentication failureaaa accounting exec default wait-start group radiusip radius source-interface loopback0!enable secret q1w2e3r4username admin password 1q2w3e4r!radius-server host 172.16.255.2 auth-port 1812 acct-port 1813radius-server key Brest-Lab!line con 0exec-timeout 0 0login authentication LOCAL_AUTHtransport input noneline aux 0exec-timeout 15 0login authentication LOCAL_AUTHline vty 0 4exec-timeout 15 0login authentication RADIUS_AUTH
This is the IOS 12.0 configuration:
! $Id: common-radius-oldstyle-confg,v 1.2 2002/10/25 14:17:39 markus Exp $! RADIUS IOS 12.0 -> no "group radius"!interface loopback 2description $Id: common-radius-oldstyle-confg,v 1.2 2002/10/25 14:17:39 markus Exp $!aaa new-modelaaa authentication login LOCAL_AUTH localaaa authentication login RADIUS_AUTH radius localaaa authentication enable default radius enableaaa accounting send stop-record authentication failureaaa accounting exec default wait-start radius
Concept: November 24, 2002 63
Configuration Log Basic IPv4 Configuration
57
ip radius source-interface loopback0!enable secret q1w2e3r4username admin password 1q2w3e4r!radius-server host 172.16.255.2 auth-port 1812 acct-port 1813radius-server key Brest-Lab!line con 0exec-timeout 0 0login authentication LOCAL_AUTHtransport input noneline aux 0exec-timeout 15 0login authentication LOCAL_AUTHline vty 0 4exec-timeout 15 0login authentication RADIUS_AUTH
Concept: November 24, 2002 64
Configuration Log Basic IPv4 Configuration
58
A.1.3 Router Core1 - IPv4
! $Id: core1-confg,v 1.3 2002/10/19 15:49:11 markus Exp $!version 12.0service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Core1!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4r!ip subnet-zeroip cef!frame-relay switching!interface Loopback0description $Id: core1-confg,v 1.3 2002/10/19 15:49:11 markus Exp $ip address 172.16.0.1 255.255.255.255no ip directed-broadcast!interface Ethernet0description Core1 LAN -> Dinghyip address 172.16.255.1 255.255.255.0no ip directed-broadcast!interface Serial0description Trunk link Core1 to Core2bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 200 interface Serial1 200frame-relay route 300 interface Serial1 300!interface Serial0.100 point-to-pointdescription Link Core1 to Core2bandwidth 256ip unnumbered Loopback0
Concept: November 24, 2002 65
Configuration Log Basic IPv4 Configuration
59
no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 100!interface Serial0.400 point-to-pointdescription Link Core1 to Edge1bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPSframe-relay interface-dlci 400!interface Serial1description Trunk link Core1 to Core3bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 200 interface Serial0 200frame-relay route 300 interface Serial0 300!interface Serial1.100 point-to-pointdescription Link Core1 to Core3bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 100!router ospf 65000log-adjacency-changesnetwork 172.16.0.0 0.0.0.255 area 0network 172.16.255.0 0.0.0.255 area 0!ip classlessno ip pim bidir-enable!map-class frame-relay 256KBPSframe-relay traffic-rate 256000 512000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0
Concept: November 24, 2002 66
Configuration Log Basic IPv4 Configuration
60
exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend
Concept: November 24, 2002 67
Configuration Log Basic IPv4 Configuration
61
A.1.4 Router Core2 - IPv4
! $Id: core2-confg,v 1.3 2002/10/19 15:49:17 markus Exp $!version 12.0service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Core2!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4rip subnet-zeroip cef!frame-relay switching!interface Loopback0description $Id: core2-confg,v 1.3 2002/10/19 15:49:17 markus Exp $ip address 172.16.0.2 255.255.255.255no ip directed-broadcast!interface Ethernet0description Office LAN -> Anchorip address 172.16.254.254 255.255.255.0no ip directed-broadcast!interface Serial0description Access link Core2 to Edge1bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type dceframe-relay route 400 interface Serial1 400!interface Serial0.100 point-to-pointdescription Access link Core2 to Edge1bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPS
Concept: November 24, 2002 68
Configuration Log Basic IPv4 Configuration
62
frame-relay interface-dlci 100!interface Serial1description Trunk link Core2 to Core1bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 400 interface Serial0 400!interface Serial1.100 point-to-pointdescription Trunk link Core2 to Core1bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 100!interface Serial1.200 point-to-pointdescription Trunk link Core2 to Core3bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 200!interface Serial1.300 point-to-pointdescription Access link Core2 to Edge2bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPSframe-relay interface-dlci 300!router ospf 65000log-adjacency-changesnetwork 172.16.0.0 0.0.0.255 area 0network 172.16.254.0 0.0.0.255 area 0!ip classlessno ip pim bidir-enable!map-class frame-relay 256KBPSframe-relay traffic-rate 256000 512000frame-relay adaptive-shaping becn
Concept: November 24, 2002 69
Configuration Log Basic IPv4 Configuration
63
!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend
Concept: November 24, 2002 70
Configuration Log Basic IPv4 Configuration
64
A.1.5 Router Core3 - IPv4
! $Id: core3-confg,v 1.3 2002/10/12 14:30:02 markus Exp $!version 12.0service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Core3!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4rip subnet-zeroip cef!frame-relay switching!interface Loopback0description $Id: core3-confg,v 1.3 2002/10/12 14:30:02 markus Exp $ip address 172.16.0.3 255.255.255.255no ip directed-broadcast!interface Ethernet0description Trunk link Core3 to Core4ip address 172.16.3.1 255.255.255.252no ip directed-broadcast!interface Serial0description Trunk link Core3 to Core1bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 300 interface Serial1 300!interface Serial0.100 point-to-pointdescription Trunk link Core3 to Core1bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPS
Concept: November 24, 2002 71
Configuration Log Basic IPv4 Configuration
65
frame-relay interface-dlci 100!interface Serial0.200 point-to-pointdescription Trunk link Core3 to Core2bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 200!interface Serial1description Access link Core3 to Edge2bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type dceframe-relay route 300 interface Serial0 300!interface Serial1.100 point-to-pointdescription Access link Core3 to Edge2bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPSframe-relay interface-dlci 100!router ospf 65000log-adjacency-changesnetwork 172.16.0.0 0.0.0.255 area 0network 172.16.3.0 0.0.0.255 area 0!ip classlessno ip pim bidir-enable!map-class frame-relay 256KBPSframe-relay traffic-rate 256000 512000frame-relay adaptive-shaping becn!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login local
Concept: November 24, 2002 72
Configuration Log Basic IPv4 Configuration
66
line aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend
Concept: November 24, 2002 73
Configuration Log Basic IPv4 Configuration
67
A.1.6 Router Core4 - IPv4
[file 910-Configuration-Log/core4-confg does not exist]
Concept: November 24, 2002 74
Configuration Log Basic IPv4 Configuration
68
A.1.7 Router Edge1 - IPv4
! $Id: edge1-confg,v 1.4 2002/10/19 15:49:02 markus Exp $!version 12.2service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Edge1!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4r!ip subnet-zeroip cef!interface Loopback0description $Id: edge1-confg,v 1.4 2002/10/19 15:49:02 markus Exp $ip address 172.16.0.11 255.255.255.255!interface Ethernet0description Edge1 LAN (to CPE)ip address 10.1.1.1 255.255.255.0!interface Serial0description *** unused ***no ip addressshutdown!interface Serial1description Access link Edge1 to Core2bandwidth 2000no ip addressencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansi!interface Serial1.100 point-to-pointdescription Access link Edge1 to Core2bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPSframe-relay interface-dlci 100!interface Serial1.400 point-to-point
Concept: November 24, 2002 75
Configuration Log Basic IPv4 Configuration
69
description Access link Edge1 to Core1bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPSframe-relay interface-dlci 400!router ospf 65000log-adjacency-changesnetwork 10.1.1.0 0.0.0.255 area 10.1.1.0network 172.16.0.0 0.0.0.255 area 0!ip classlessno ip http serverip pim bidir-enable!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend
Concept: November 24, 2002 76
Configuration Log Basic IPv4 Configuration
70
A.1.8 Router Edge2 - IPv4
! $Id: edge2-confg,v 1.2 2002/09/28 18:50:32 markus Exp $!version 12.2service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Edge2!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4r!ip subnet-zeroip cef!interface Loopback0description $Id: edge2-confg,v 1.2 2002/09/28 18:50:32 markus Exp $ip address 172.16.0.12 255.255.255.255!interface Ethernet0description Edge2 LAN (to CPE)ip address 10.2.1.1 255.255.255.0!interface Serial0description Access link Edge2 to Core3bandwidth 2000no ip addressencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansi!interface Serial0.100 point-to-pointdescription Access link Edge2 to Core3bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPSframe-relay interface-dlci 100!interface Serial0.300 point-to-pointdescription Access link Edge2 to Core2bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPS
Concept: November 24, 2002 77
Configuration Log Basic IPv4 Configuration
71
frame-relay interface-dlci 300!interface Serial1description *** unused ***no ip addressshutdown!interface BRI0no ip addressshutdown!router ospf 65000log-adjacency-changesnetwork 10.2.1.0 0.0.0.255 area 10.2.1.0network 172.16.0.0 0.0.0.255 area 0!ip classlessno ip http serverno ip pim bidir-enable!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend
Concept: November 24, 2002 78
Configuration Log Basic IPv4 Configuration
72
A.1.9 Router Zerberus - IPv4
[file 910-Configuration-Log/zerberus-confg does not exist]
Concept: November 24, 2002 79
Configuration Log Basic IPv4 Configuration
73
A.1.10 Host Anchor - IPv4
[file 910-Configuration-Log/anchor-confg does not exist]
Concept: November 24, 2002 80
Configuration Log Basic IPv4 Configuration
74
A.1.11 Host Dinghy - IPv4
/etc/rc.conf
[email protected]# cat /etc/rc.conf# $NetBSD: rc.conf,v 1.96 2000/10/14 17:01:29 wiz Exp $## see rc.conf(5) for more information.## Use program=YES to enable program, NO to disable it. program_flags are# passed to the program on the command line.#
# Load the defaults in from /etc/defaults/rc.conf (if it’s readable).# These can be overridden below.#if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conffi
# If this is not set to YES, the system will drop into single-user mode.#rc_configured=YES
## Add local overrides below#
# Web serverthttpd=YES
# Loggingsyslogd=YES syslogd_flags="" # Allow remote boxes to use syslogdnewsyslog=YES newsyslog_flags="" # Trim log files
# NTPntpd=YES
# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/gated
/etc/rc.local
[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.29 2000/10/07 00:22:44 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94
Concept: November 24, 2002 81
Configuration Log Basic IPv4 Configuration
75
## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#
echo -n ’starting local daemons:’
# Add your local daemons here.#
# Enable ip forwardingsysctl -w net.inet.ip.forwarding=1sysctl -w net.inet6.ip6.forwarding=1
#if [ -f /usr/pkg/etc/rc.d/apache ]; then# /usr/pkg/etc/rc.d/apache start#fi
echo ’.’
## We’re using Daemontools to manage local services - starting svscan#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’
/etc/ifconfig.sq0
[email protected]# cat /etc/ifconfig.sq0up172.16.255.2 netmask 0xffffff00
/etc/syslog.conf
[email protected]# cat /etc/syslog.conf# $NetBSD: syslog.conf,v 1.7 2001/02/12 06:08:31 mycroft Exp $
local4.* /var/log/router.log
*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messageskern.debug /var/log/messages
# The authpriv log file should be restricted access; these# messages shouldn’t go to terminals or publically-readable
Concept: November 24, 2002 82
Configuration Log Basic IPv4 Configuration
76
# files.auth,authpriv.info /var/log/authlog
cron.info /var/cron/logftp.info /var/log/xferloglpr.info /var/log/lpd-errsmail.info /var/log/maillog#uucp.info /var/spool/uucp/ERRORS
*.emerg **.notice root
/etc/newsyslog.conf
[email protected]# cat /etc/newsyslog.conf# $NetBSD: newsyslog.conf,v 1.15 2002/03/29 02:47:26 heinz Exp $## Configuration file for newsyslog(8).## logfilename [owner:group] mode ngen size when flags [/pidfile] [sigtype]#/var/cron/log root:wheel 600 3 10 * Z/var/log/aculog uucp:dialer 640 7 * 24 Z/var/log/authlog 600 5 30 * Z/var/log/kerberos.log 640 7 * 24 ZN/var/log/lpd-errs 640 7 10 * Z/var/log/maillog 600 7 * 24 Z/var/log/messages 644 5 30 * Z/var/log/wtmp 644 7 * 168 ZBN/var/log/xferlog 640 7 250 * Z/var/log/gated.log 644 5 30 * Z/var/log/router.log 644 5 30 * Z
/etc/ntp.conf
[email protected]# cat /etc/ntp.conf# $Id$# Network Time Protocol (NTP) configuration file for ntpd
# Process ID file, so that the daemon can be signalled from scripts
pidfile /var/run/ntpd.pid
# The correction calculated by ntpd(8) for the local system clock’s# drift is stored here
driftfile /var/db/ntp.drift
# suppress the syslog(3) message for each peer synchronization change
logconfig -syncstatus
Concept: November 24, 2002 83
Configuration Log Basic IPv4 Configuration
77
# Hereafter should be "server" or "peer" statements to configure# other hosts to exchange NTP packets with.## Ideally, you should select at least three other systems to talk# NTP with, for an "what I tell you three times is true" effect.
server anchor.brest.labpeer core1.brest.labpeer core2.brest.labpeer core2.brest.labpeer edge1.brest.labpeer edge2.brest.labpeer edge3.brest.lab
/etc/gated.conf
[email protected]# ll /service/total 0lrwxr-xr-x 1 root wheel 21 Oct 1 14:09 gated -> /usr/local/etc/gated/lrwxr-xr-x 1 root wheel 19 Sep 17 11:33 thttpd -> /usr/pkg/etc/thttpdlrwxr-xr-x 1 root wheel 18 Sep 30 16:25 zebra -> /usr/pkg/etc/[email protected]#[email protected]# cat /service/gated/run#!/bin/shexec /usr/local/sbin/gated -N -f /etc/gated.conf /var/log/[email protected]#[email protected]# cat /etc/gated.confospf yes {
backbone {interface sq0;
};};[email protected]#
Concept: November 24, 2002 84
Configuration Log IPv6 Configuration
78
A.2 IPv6 Configuration
A.2.1 Router Anchor - IPv6
Anchor serves as IPv6 hub router and route reflector.
/etc/rc.conf
[email protected]# cat /etc/rc.conf# $NetBSD: rc.conf,v 1.96 2000/10/14 17:01:29 wiz Exp $## see rc.conf(5) for more information.## Use program=YES to enable program, NO to disable it. program_flags are# passed to the program on the command line.#
# Load the defaults in from /etc/defaults/rc.conf (if it’s readable).# These can be overridden below.#if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conffi
# If this is not set to YES, the system will drop into single-user mode.#rc_configured=YES
# Add local overrides below#
# Loggingsyslogd=YES syslogd_flags="" # Allow remote boxes to use syslogdnewsyslog=YES newsyslog_flags="" # Trim log files
# NTPntpd=YES
# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/ospfd
# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip.forwarding=1# Routing daemons are started via daemontools
Concept: November 24, 2002 85
Configuration Log IPv6 Configuration
79
# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or routerip6sitelocal=YES # IPv6 sitelocal addrsrtsol=NO rtsol_flags="-a" # for ip6mode=autohost onlyrtadvd=YES rtadvd_flags="tlp0"
## NFS server => netboot the Indy## rpcbind=YES rpcbind_flags="-l"# nfs_server=YES# lockd=YES# statd=YES## DHCPd => netboot the Indy#dhcpd=YES dhcpd_flags="-q tlp0"[email protected]#
/etc/rc.local
[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.29 2000/10/07 00:22:44 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#
echo -n ’starting local daemons:’
# Add your local daemons here.#
# Enable ip forwardingsysctl -w net.inet.ip.forwarding=1sysctl -w net.inet6.ip6.forwarding=1
## We’re using Daemontools to start local services - starting svscan now#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’[email protected]#
Concept: November 24, 2002 86
Configuration Log IPv6 Configuration
80
/etc/ifconfig.*
[email protected]# cat /etc/ifconfig.lo0inet6 fefe::a prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.tlp0up172.16.254.2 netmask 0xffffff00 media 10baseTinet6 fefe:a::1 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.gif0createtunnel 172.16.254.2 172.16.255.2inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.254.2 172.16.0.11inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif2createtunnel 172.16.254.2 172.16.0.12inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif3createtunnel 172.16.254.2 10.3.1.1inet6 [email protected]#
/etc/zebra.conf
!! $Id: anchor-ipv6-zebra.conf,v 1.2 2002/10/23 18:18:55 markus Exp $!hostname Anchor(zebra)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/zebra.log!interface tlp0description Office LANipv6 address fefe:a::1/64ipv6 nd suppress-ra!interface ep0description ***unused***ipv6 nd suppress-ra!
Concept: November 24, 2002 87
Configuration Log IPv6 Configuration
81
interface lo0description $Id: anchor-ipv6-zebra.conf,v 1.2 2002/10/23 18:18:55 markus Exp $ipv6 address fefe::a/128!interface ppp0description ***unused***ipv6 nd suppress-ra!interface ppp1description ***unused***ipv6 nd suppress-ra!interface ppp2description ***unused***ipv6 nd suppress-ra!interface ppp3description ***unused***ipv6 nd suppress-ra!interface sl0description ***unused***ipv6 nd suppress-ra!interface sl1description ***unused***ipv6 nd suppress-ra!interface sl2description ***unused***ipv6 nd suppress-ra!interface sl3description ***unused***ipv6 nd suppress-ra!interface gif0description IPv6 tunnel to router Dinghyipv6 nd suppress-ra!interface gif1description IPv6 tunnel to router Edge1ipv6 nd suppress-ra!interface gif2description IPv6 tunnel to router Edge2ipv6 nd suppress-ra!interface gif3
Concept: November 24, 2002 88
Configuration Log IPv6 Configuration
82
description ***unused***ipv6 nd suppress-ra!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ipv6 route fefe::d/128 gif0ipv6 route fefe::e1/128 gif1 253ipv6 route fefe::e2/128 gif2 253!!line vty!
/etc/bgpd.conf
!! $Id: anchor-ipv6-bgpd.conf,v 1.1 2002/10/23 15:55:26 markus Exp $!hostname Anchor(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!*! Edge1neighbor fefe::e1 remote-as 65000neighbor fefe::e1 update-source lo0no neighbor fefe::e1 activate!*! Edge2neighbor fefe::e2 remote-as 65000neighbor fefe::e2 update-source lo0no neighbor fefe::e2 activate!address-family ipv6redistribute connectedredistribute staticneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge1neighbor fefe::d peer-group MESHneighbor fefe::e1 activateneighbor fefe::e1 route-reflector-clientneighbor fefe::e1 next-hop-self
Concept: November 24, 2002 89
Configuration Log IPv6 Configuration
83
neighbor fefe::e1 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge2neighbor fefe::e2 activateneighbor fefe::e2 route-reflector-clientneighbor fefe::e2 next-hop-selfneighbor fefe::e2 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::a!line vty!
Concept: November 24, 2002 90
Configuration Log IPv6 Configuration
84
A.2.2 Router Dinghy - IPv6
Dinghy serves as IPv6 hub router and route reflector.
/etc/rc.conf
[email protected]# cat /etc/rc.conf# $NetBSD: rc.conf,v 1.96 2000/10/14 17:01:29 wiz Exp $## see rc.conf(5) for more information.## Use program=YES to enable program, NO to disable it. program_flags are# passed to the program on the command line.#
# Load the defaults in from /etc/defaults/rc.conf (if it’s readable).# These can be overridden below.#if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conffi
# If this is not set to YES, the system will drop into single-user mode.#rc_configured=YES
## Add local overrides below#thttpd=YES
# Loggingsyslogd=YES syslogd_flags="" # Allow remote boxes to use syslogdnewsyslog=YES newsyslog_flags="" # Trim log files
# NTPntpd=YES
# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/gated
# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip6.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra
Concept: November 24, 2002 91
Configuration Log IPv6 Configuration
85
# -> /service/bgpdip6mode=routerip6sitelocal=YESrtadvd=YES rtadvd_flags="sq0"rtsol=NO rtsol_flags="-a" # for ip6mode=autohost [email protected]#
/etc/rc.local
[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.29 2000/10/07 00:22:44 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#
echo -n ’starting local daemons:’
# Add your local daemons here.#
# RADIUS#if [ -f /usr/pkg/etc/rc.d/radiusd ]; then# /usr/pkg/etc/rc.d/radiusd start#fi#echo ’-> radiusd’
# Enable ip forwardingsysctl -w net.inet.ip.forwarding=1sysctl -w net.inet6.ip6.forwarding=1
## We’re using Daemontools to manage local services - starting svscan#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’[email protected]#
/etc/ifconfig.*
[email protected]# cat /etc/ifconfig.lo0inet6 fefe::d prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.sq0up
Concept: November 24, 2002 92
Configuration Log IPv6 Configuration
86
172.16.255.2 netmask 0xffffff00inet6 fefe:d::1 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.gif0createtunnel 172.16.255.2 172.16.254.2inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.255.2 172.16.0.11inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif2createtunnel 172.16.255.2 172.16.0.12inet6 [email protected]#
/etc/zebra.conf
!! $Id: dinghy-ipv6-zebra.conf,v 1.1 2002/10/23 16:00:32 markus Exp $!hostname Dinghy(zebra)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/zebra.log!interface sq0description To routers Core4 (IPv4, IPv6) and Core1 (IPv4)ipv6 address fefe:d::1/64ipv6 nd suppress-ra!interface lo0description $Id: dinghy-ipv6-zebra.conf,v 1.1 2002/10/23 16:00:32 markus Exp $ipv6 address fefe::d/128!interface ppp0description ***unused***ipv6 nd suppress-ra!interface ppp1description ***unused***ipv6 nd suppress-ra!interface sl0description ***unused***ipv6 nd suppress-ra!
Concept: November 24, 2002 93
Configuration Log IPv6 Configuration
87
interface sl1description ***unused***ipv6 nd suppress-ra!interface strip0description ***unused***ipv6 nd suppress-ra!interface strip1description ***unused***ipv6 nd suppress-ra!interface gif0description IPv6 tunnel to router Anchoripv6 nd suppress-ra!interface gif1description IPv6 tunnel to router Edge1ipv6 nd suppress-ra!interface gif2description IPv6 tunnel to router Edge2ipv6 address fefe:bb:d::5/126ipv6 nd suppress-ra!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ipv6 route fefe::a/128 gif0ipv6 route fefe::e1/128 gif1 253ipv6 route fefe::e2/128 gif2 253ipv6 route fefe::e3/128 fefe:d::2 253!!line vty!
/etc/bgpd.conf
!! $Id: dinghy-ipv6-bgpd.conf,v 1.1 2002/10/23 16:00:40 markus Exp $!hostname Dinghy(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000
Concept: November 24, 2002 94
Configuration Log IPv6 Configuration
88
neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!*! Edge1neighbor fefe::e1 remote-as 65000neighbor fefe::e1 update-source lo0no neighbor fefe::e1 activate!*! Edge2neighbor fefe::e2 remote-as 65000neighbor fefe::e2 update-source lo0no neighbor fefe::e2 activate!*! Edge3 (Core4)neighbor fefe::e3 remote-as 65000neighbor fefe::e3 update-source lo0no neighbor fefe::e3 activate!address-family ipv6redistribute connectedredistribute staticneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group MESH!*! Edge1neighbor fefe::e1 activateneighbor fefe::e1 route-reflector-clientneighbor fefe::e1 next-hop-selfneighbor fefe::e1 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge2neighbor fefe::e2 activateneighbor fefe::e2 route-reflector-clientneighbor fefe::e2 next-hop-selfneighbor fefe::e2 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge3neighbor fefe::e3 activateneighbor fefe::e3 route-reflector-clientneighbor fefe::e3 next-hop-selfneighbor fefe::e3 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::d!line vty!
Concept: November 24, 2002 95
Configuration Log IPv6 Configuration
89
A.2.3 Router Edge1 - IPv6
The following commands add IPv6 to the base IPv4 configuration of the router.
! $Id: edge1-ipv6-confg,v 1.12 2002/10/25 14:20:23 markus Exp $!! Add IPv6 to the IPv4 configuration of router Edge1!ipv6 unicast-routing!! Configure interfaces!interface loopback 0ipv6 address fefe::e1/128exit!interface loopback 20description $Id: edge1-ipv6-confg,v 1.12 2002/10/25 14:20:23 markus Exp $!interface ethernet 0ipv6 address fefe:e1::1/64exit!interface tunnel 0description IPv6 tunnel to router Anchoripv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.254.2tunnel mode ipv6ipexit!interface tunnel 1description IPv6 tunnel to router Dinghyipv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.255.2tunnel mode ipv6ipexit!! Configure BGP Routing!ipv6 route fefe::a/128 Tunnel0ipv6 route fefe::d/128 Tunnel1!router bgp 65000no synchronizationbgp log-neighbor-changes
Concept: November 24, 2002 96
Configuration Log IPv6 Configuration
90
bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activateno auto-summary!address-family ipv6neighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS send-communityneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSno synchronizationredistribute connectedexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10description Set next hop to global IPv6 addr; default is using link local IPv6 addrset ipv6 next-hop fefe::e1!! Configure RIPv6 Routing!ipv6 router rip EDGE-LANdistance 254redistribute bgp 65000 metric 10distribute-list prefix-list DENY_ALL in!ipv6 prefix-list DENY_ALL seq 5 deny ::/0!interface Ethernet0ipv6 rip EDGE-LAN enable!! End of module IPv6-Edge1
Concept: November 24, 2002 97
Configuration Log IPv6 Configuration
91
A.2.4 Router Edge2 - IPv6
The following commands add IPv6 to the base IPv4 configuration of the router.
! $Id: edge2-ipv6-confg,v 1.14 2002/10/25 14:21:15 markus Exp $!! Add IPv6 to the IPv4 configuration of router Edge2!ipv6 unicast-routing!! Configure interfaces!interface loopback 0ipv6 address fefe::e2/128exit!interface loopback 20description $Id: edge2-ipv6-confg,v 1.14 2002/10/25 14:21:15 markus Exp $!interface ethernet 0ipv6 address fefe:e2::1/64exit!interface tunnel 0description IPv6 tunnel to router Anchoripv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.254.2tunnel mode ipv6ipexit!interface tunnel 1description IPv6 tunnel to router Dinghyipv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.255.2tunnel mode ipv6ipexit!! Configure BGP Routing!ipv6 route fefe::a/128 Tunnel0ipv6 route fefe::d/128 Tunnel1!router bgp 65000no synchronizationbgp log-neighbor-changes
Concept: November 24, 2002 98
Configuration Log IPv6 Configuration
92
bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activateno auto-summary!address-family ipv6neighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS send-communityneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSno synchronizationredistribute connectedexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10description Set next hop to global IPv6 addr; default is using link local IPv6 addrset ipv6 next-hop fefe::e2!! Configure RIPv6 Routing!ipv6 router rip EDGE-LANdistance 254redistribute bgp 65000 metric 10distribute-list prefix-list DENY_ALL in!ipv6 prefix-list DENY_ALL seq 5 deny ::/0!interface Ethernet0ipv6 rip EDGE-LAN enable!! End of module IPv6-Edge2
Concept: November 24, 2002 99
Configuration Log IPv6 Configuration
93
A.2.5 Router Core4 - IPv6
/etc/rc.conf
[email protected]# cat /etc/rc.conf# $NetBSD: rc.conf,v 1.85.2.9 2001/04/24 22:42:44 he Exp $## see rc.conf(5) for more information.## Use program=YES to enable program, NO to disable it. program_flags are# passed to the program on the command line.#
# Load the defaults in from /etc/defaults/rc.conf (if it’s readable).# These can be overridden below.#if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conffi
# If this is not set to YES, the system will drop into single-user mode.#rc_configured=YES
# Add local overrides below#
# Consolewscons=YES
# Loggingnewsyslog=YES newsyslog_flags="" # Trim log files
# NTPntpd=YES
# MPLS - AYAME# Interface options are set in rc.local# -> /usr/ayame/sbin/ifconfig lo0 mtu 1500# -> /usr/ayame/sbin/ifconfig lo0 mpls 0:0# Multicast route is set in rc.local# -> route add -net 224.0.0.0 -netmask 255.0.0.0 127.0.0.1# Kernel options are set in rc.local# -> /usr/ayame/sbin/sysctl -w net.mpls.mapttl_ip=0# Daemons are started via daemontools# -> /service/ayamed# -> /service/ldpdmpls=YES
Concept: November 24, 2002 100
Configuration Log IPv6 Configuration
94
# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/ospfd
# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or router#ip6sitelocal=YES # IPv6 sitelocal addrs -> NetBSD 1.6rtsol=NO rtsol_flags="-a" # for ip6mode=autohost onlyrtadvd=YES rtadvd_flags="ne2"[email protected]#
/etc/rc.local
[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.25.10.2 2000/10/07 20:21:35 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#
echo -n ’starting local daemons:’
# Add your local daemons here.## Enable ip forwardingsysctl -w net.inet.ip.forwarding=1sysctl -w net.inet6.ip6.forwarding=1
# MPLS - AYAME# Interface options/usr/ayame/sbin/ifconfig lo0 mtu 1500/usr/ayame/sbin/ifconfig lo0 mpls 0:0# Multicast routeroute add -net 224.0.0.0 -netmask 255.0.0.0 127.0.0.1# Kernel options/usr/ayame/sbin/sysctl -w net.mpls.mapttl_ip=0
Concept: November 24, 2002 101
Configuration Log IPv6 Configuration
95
# Daemons are started via daemontools# -> /service/ayamed# -> /service/ldpd
## We’re using Daemontools to start local services - starting svscan now#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’
# German keyboardwsconsctl -k -w [email protected]#
/etc/ifconfig.*
[email protected]# cat /etc/ifconfig.lo0inet6 fefe::e3 prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.rtk0172.16.3.2 netmask 0xfffffffc media [email protected]#[email protected]# cat /etc/ifconfig.rtk1172.16.255.4 netmask 0xffffff00 media 10baseTinet6 fefe:d::2 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.ne210.3.1.1 netmask 0xffffff00 media autoselectinet6 fefe:e3::1 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.gif0createtunnel 10.3.1.1 172.16.254.2inet6 [email protected]#
/etc/zebra.conf
[email protected]# cat /etc/zebra.conf!! Zebra configuration saved from vty! 2002/10/12 20:04:09!hostname Core4(zebra)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/zebra.log!debug zebra events!interface ne2
Concept: November 24, 2002 102
Configuration Log IPv6 Configuration
96
description Edge LANipv6 nd suppress-ra!interface rtk0description IPv4-only link to Core3ipv6 nd suppress-ra!interface rtk1description IPv4/IPv6 link to Core1 and Dinghyipv6 nd suppress-ra!interface lo0description Loopback for BGP peering (IPv6)!interface ppp0ipv6 nd suppress-ra!interface ppp1ipv6 nd suppress-ra!interface sl0ipv6 nd suppress-ra!interface sl1ipv6 nd suppress-ra!interface strip0ipv6 nd suppress-ra!interface strip1ipv6 nd suppress-ra!interface tun0ipv6 nd suppress-ra!interface tun1ipv6 nd suppress-ra!interface gre0ipv6 nd suppress-ra!interface gre1ipv6 nd suppress-ra!interface ipip0ipv6 nd suppress-ra!interface ipip1ipv6 nd suppress-ra
Concept: November 24, 2002 103
Configuration Log IPv6 Configuration
97
!interface gif0description IPv6 tunnel to router Anchoripv6 nd suppress-ra!interface gif1description IPv6 tunnel to router Dinghyipv6 nd suppress-ra!interface gif2ipv6 nd suppress-ra!interface gif3ipv6 nd suppress-ra!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ipv6 route fefe::a/128 gif0ipv6 route fefe::d/128 fefe:d::1!!line [email protected]#
/etc/bgpd.conf
[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/12 20:11:10!hostname Core4(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activate!address-family ipv6redistribute connectedneighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out
Concept: November 24, 2002 104
Configuration Log IPv6 Configuration
98
neighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::e3!line [email protected]#
Concept: November 24, 2002 105
Configuration Log RADIUS
99
A.3 RADIUS
The following files configure RADIUS on host Dinghy.
/usr/pkg/etc/raddb/clients
[email protected]# cat /usr/pkg/etc/raddb/clients## clients This file contains a list of clients which are allowed to# make authentication requests and their encryption key.## Description of the fields:## * The first field is a valid hostname or IP address# for the client.# * The second field (seperated by blanks or tabs) is the# encryption key.
# Client Name Key#---------------- ----------core1.brest.lab Brest-Labcore2.brest.lab Brest-Labcore3.brest.lab Brest-Labedge1.brest.lab Brest-Labedge2.brest.lab Brest-Labedge3.brest.lab Brest-Lab
/usr/pkg/etc/raddb/naslist
[email protected]# cat /usr/pkg/etc/raddb/naslist## naslist This file contains a list of NASes (Network Access Servers,# also known as terminal servers) which we know.## Description of the fields:## * The first field is a valid hostname or IP address# for the client. It’s matched against the NAS-IP-Address# sent in the radius packets by the client.# * The second field (seperated by blanks or tabs) is the# short name we use in the logfiles for this NAS.# This means /var/log/radacct/<shortname>/detail,# and Sxx:<shortname> in the radwtmp file.# * The third field defines what type of device it is. Valid# values are "livingston", "cisco", etc etc.# This is used to find out how to detect simultaneous logins.# Please read doc/README.simul for further information.## You can use DEFAULT as a catch-all.#
Concept: November 24, 2002 106
Configuration Log RADIUS
100
# NAS Name Short Name Type#---------------- ---------- ----core1.brest.lab core1 ciscocore2.brest.lab core2 ciscocore3.brest.lab core3 ciscoedge1.brest.lab edge1 ciscoedge2.brest.lab edge2 ciscoedge3.brest.lab edge3 otherDEFAULT default other
/usr/pkg/etc/raddb/users
[email protected]# cat /usr/pkg/etc/raddb/users## This file contains security and configuration information# for each user.#
## This is the enable password used for all of our routers.#$enab15$ Auth-Type = Local, Password = "q1w2e3r4"
Service-Type = Administrative-User
## All accounts are checked against the UNIX /etc/passwd# unless a password was already given earlier in this file.#DEFAULT Auth-Type = System
Fall-Through = 1
#
Concept: November 24, 2002 107
Configuration Log Ploticus
101
A.4 Ploticus
zerberus.sh
# $Id: zerberus.sh,v 1.1 2002/08/22 19:21:39 markus Exp $
date +"%Y%m%d %H:%M" >> /home/markus/log/zerberus-cpu.logrtr2 zerberus show proc cpu | grep CPU >> /home/markus/log/zerberus-cpu.log
date +"%Y%m%d %H:%M" >> /home/markus/log/zerberus-memory.logrtr2 zerberus show proc mem | grep Total: >> /home/markus/log/zerberus-memory.log
cpu.pl
// $Id: cpu.pl,v 1.1 2002/08/22 19:21:13 markus Exp $#proc getdata
file: ../log/zerberus-cpu.logdelim: spacefieldnames: datestamp timestamp CPU utilization for five seconds: crap one minute: cpu-
1 five minutes: cpu-5showresults: yes
#proc areadefareaname: standardtitle: CPU Utilization (5 Minute Moving Average)titledetails: align=C size=12 style=B adjust=0,0.2rectangle: 1 1 7.5 4xscaletype: time hh:mm//xautorange: datafield=timestampxrange: 17:00 20:00yscaletype: linearyrange: 0 100frame: yes
#proc xaxisgrid: color=oceanbluegridskip: minmaxlabel: Timelabeldetails: size=10 style=B adjust=0,-0.4stubs: incremental 5stubformat: hh:mmstubvert: yes
#proc yaxisgrid: color=oceanbluegridskip: minmaxlabel: Percentlabeldetails: size=10 style=Bstubs: incremental 10
Concept: November 24, 2002 108
Configuration Log Ploticus
102
#proc lineplotxfield: timestampyfield: cpu-5stairstep: yes// gapmissing: yes // Documented on the web site but not available in my ploticusnumbers: yeslinedetails: width=2 color=green//fill: greenlegendlabel: Moving average over 5 minutes read from router
//#proc curvefit// curvetype: movingavg// xfield: timestamp// yfield: cpu-5// order: 12// linedetails: color=red// legendlabel: Moving average over 60 min
//#proc legend// location: min+1 min-0.5// format: singleline
mem.pl
// $Id: mem.pl,v 1.1 2002/08/22 19:21:22 markus Exp $#proc getdata
file: ../log/zerberus-memory.logdelim: spacefieldnames: datestamp timestamp Total: total-mem Used: used-mem Free: free-memshowresults: yes
#proc areadefareaname: standardtitle: Processor Memory Utilization (5 Minute)titledetails: align=C size=12 style=B adjust=0,0.2rectangle: 1 1 7.5 4xscaletype: time hh:mm//xautorange: datafield=timestampxrange: 17:00 20:00yscaletype: linearyrange: 0 16384000 // Adopt this to the processor memory in the router;
// Zerberus has 16MB, 14MB are processor memoryframe: yes
#proc xaxisgrid: color=oceanbluegridskip: minmaxlabel: Timelabeldetails: size=10 style=B
Concept: November 24, 2002 109
Configuration Log Ploticus
103
labeldistance: 0.65stubs: incremental 5stubformat: hh:mmstubvert: yes
#proc yaxisgrid: color=oceanbluegridskip: minmaxlabel: Bytelabeldetails: size=10 style=Blabeldistance: 0.75stubs: incremental 1000000 //1048576stubformat: %3.0f
#proc lineplotxfield: timestampyfield: total-memstairstep: yes//gapmissing: yes // Documented on the web site but not available in my ploticuslinedetails: width=2 color=bluelegendlabel: Total memory
#proc lineplotxfield: timestampyfield: used-memstairstep: yes//gapmissing: yes // Documented on the web site but my ploticus complainslinedetails: width=2 color=redlegendlabel: Used memory
#proc lineplotxfield: timestampyfield: free-memstairstep: yes//gapmissing: yes // Documented on the web site but not available in my ploticuslinedetails: width=2 color=greenlegendlabel: Free memory
#proc legendlocation: min+0.75 min-0.65format: singleline
Concept: November 24, 2002 110
Configuration Log MRTG
104
A.5 MRTG
mrtg.conf
## $Id: mrtg.conf,v 1.1 2002/09/23 18:09:46 mrtg Exp $#
## Set global options#WorkDir: /home/mrtg/public_htmlRunAsDaemon:YesRefresh: 300Interval: 5WriteExpires: Yes#Language: german
## Load per-router configuration files#Include: edge1-cpu_mrtg.confInclude: edge1-memory_mrtg.conf
Include: edge2-cpu_mrtg.confInclude: edge2-memory_mrtg.conf
Include: hub1-cpu_mrtg.confInclude: hub1-memory_mrtg.conf
router name-cpu mrtg.conf
# $Id: router_name-cpu_mrtg.conf,v 1.2 2002/09/25 12:58:08 root Exp $## Graph CPU load of a Cisco router## OID avgBusy5 1.3.6.1.4.1.9.2.1.58.0# 5 minute exponentially-decayed moving# average of the CPU busy percentage.## OID avgBusy1 1.3.6.1.4.1.9.2.1.57.0# 1 minute exponentially-decayed moving# average of the CPU busy percentage.
# Replace this variables to individalize this template:# <ROUTER_NAME># <ROUTER_SHORT_NAME># <SNMP_COMMUNITY>
Concept: November 24, 2002 111
Configuration Log MRTG
105
Target[cpu-<ROUTER_SHORT_NAME>]: 1.3.6.1.4.1.9.2.1.58.0&1.3.6.1.4.1.9.2.1.57.0:<SNMP_COMMUNITY>@<ROUTER_NAME>RouterUptime[cpu-<ROUTER_SHORT_NAME>]: <SNMP_COMMUNITY>@<ROUTER_NAME>Supress[cpu-<ROUTER_SHORT_NAME>]: wmyPageTop[cpu-<ROUTER_SHORT_NAME>]: <H1>CPU Statistics for Router <ROUTER_SHORT_NAME></H1>Title[cpu-<ROUTER_SHORT_NAME>]: CPU Statistics for Router <ROUTER_SHORT_NAME>PageFoot[cpu-<ROUTER_SHORT_NAME>]: <P>Data for OIDs "avgBusy5" and "avgBusy1" is collected in 5 minute intervals.</P>MaxBytes[cpu-<ROUTER_SHORT_NAME>]: 100Directory[cpu-<ROUTER_SHORT_NAME>]: <ROUTER_SHORT_NAME>Options[cpu-<ROUTER_SHORT_NAME>]: gauge, growright, unknaszero, nobannerColours[cpu-<ROUTER_SHORT_NAME>]: RED#ff0000,BLUE#1000ff,GREEN#006600,VIOLET#ff00ffYLegend[cpu-<ROUTER_SHORT_NAME>]: PercentShortLegend[cpu-<ROUTER_SHORT_NAME>]: %Legend1[cpu-<ROUTER_SHORT_NAME>]: 5 minute average of CPU busyLegend2[cpu-<ROUTER_SHORT_NAME>]: 1 minute average of CPU busyLegendI[cpu-<ROUTER_SHORT_NAME>]: 5min:LegendO[cpu-<ROUTER_SHORT_NAME>]: 1min:
router name-memory mrtg.conf
# $Id: router_name-memory_mrtg.conf,v 1.2 2002/09/25 13:40:06 root Exp $## Graph memory utilization of a Cisco router## OID ciscoMemoryPoolUsed 1.3.6.1.4.1.9.9.48.1.1.1.5.0# Indicates the number of bytes from the memory pool# that are currently in use by applications on the# managed device.# OID ciscoMemoryPoolFree 1.3.6.1.4.1.9.9.48.1.1.1.6.0# Indicates the number of bytes from the memory pool# that are currently unused on the managed device.# Note that the sum of ciscoMemoryPoolUsed and# ciscoMemoryPoolFree is the total amount of memory# in the pool# OID ciscoMemoryPoolLargestFree 1.3.6.1.4.1.9.9.48.1.1.1.7.0# Indicates the largest number of contiguous bytes# from the memory pool that are currently unused on# the managed device.
# Replace this variables to individalize this template:# <ROUTER_NAME># <ROUTER_SHORT_NAME># <SNMP_COMMUNITY># <PHYSICAL_MEMORY> Amount of DRAM (in MB) present in the router.# <PROCESSOR_MEMORY> Use the value from the "show version display" (in byte)
Target[mem-<ROUTER_SHORT_NAME>]: 1.3.6.1.4.1.9.9.48.1.1.1.5.0&1.3.6.1.4.1.9.9.48.1.1.1.6.0:<SNMP_COMMUNITY>@<ROUTER_NAME>RouterUptime[mem-<ROUTER_SHORT_NAME>]: <SNMP_COMMUNITY>@<ROUTER_NAME>Supress[mem-<ROUTER_SHORT_NAME>]: wmyPageTop[mem-<ROUTER_SHORT_NAME>]: <H1>Memory Statistics for Router <ROUTER_SHORT_NAME></H1>
<P>Router has <PHYSICAL_MEMORY> MB of DRAM installed.
Concept: November 24, 2002 112
Configuration Log MRTG
106
<PROCESSOR_MEMORY> Byte are used as processor memory.</P>Title[mem-<ROUTER_SHORT_NAME>]: Memory Statistics for Router <ROUTER_SHORT_NAME>PageFoot[mem-<ROUTER_SHORT_NAME>]: <P>Data for OIDs is collected in 5 minute intervals.</P>
<P>The sum of ciscoMemoryPoolUsed and ciscoMemoryPoolFreeis the total amount of memory in the pool.</P>
MaxBytes[mem-<ROUTER_SHORT_NAME>]: <PROCESSOR_MEMORY>Unscaled[mem-<ROUTER_SHORT_NAME>]: dDirectory[mem-<ROUTER_SHORT_NAME>]: <ROUTER_SHORT_NAME>Options[mem-<ROUTER_SHORT_NAME>]: gauge, integer, growright, unknaszero, nobannerColours[mem-<ROUTER_SHORT_NAME>]: RED#ff0000,BLUE#1000ff,GREEN#006600,VIOLET#ff00ffYLegend[mem-<ROUTER_SHORT_NAME>]: BytesShortLegend[mem-<ROUTER_SHORT_NAME>]: byteLegend1[mem-<ROUTER_SHORT_NAME>]: Bytes from the memory pool that are usedLegend2[mem-<ROUTER_SHORT_NAME>]: Bytes from the memory pool that are unusedLegendI[mem-<ROUTER_SHORT_NAME>]: usedBytes:LegendO[mem-<ROUTER_SHORT_NAME>]: freeBytes:
Target[memfree-<ROUTER_SHORT_NAME>]: 1.3.6.1.4.1.9.9.48.1.1.1.6.0&1.3.6.1.4.1.9.9.48.1.1.1.7.0:<SNMP_COMMUNITY>@<ROUTER_SHORT_NAME>RouterUptime[memfree-<ROUTER_SHORT_NAME>]: <SNMP_COMMUNITY>@<ROUTER_SHORT_NAME>Supress[memfree-<ROUTER_SHORT_NAME>]: wmyPageTop[memfree-<ROUTER_SHORT_NAME>]: <H1>Free Memory Statistics for Router <ROUTER_SHORT_NAME></H1>
<P>Router has <PHYSICAL_MEMORY> MB of DRAM installed.<PROCESSOR_MEMORY> Byte are used as processor memory.</P>
Title[memfree-<ROUTER_SHORT_NAME>]: Free Memory Statistics for Router <ROUTER_SHORT_NAME>PageFoot[memfree-<ROUTER_SHORT_NAME>]: <P>Data for OIDs is collected in 5 minute intervals.</P>
<P>Do we have fragmented memory?</P>MaxBytes[memfree-<ROUTER_SHORT_NAME>]: <PROCESSOR_MEMORY>Unscaled[memfree-<ROUTER_SHORT_NAME>]: dDirectory[memfree-<ROUTER_SHORT_NAME>]: <ROUTER_SHORT_NAME>Options[memfree-<ROUTER_SHORT_NAME>]: gauge, integer, growright, unknaszero, nobannerColours[memfree-<ROUTER_SHORT_NAME>]: RED#ff0000,BLUE#1000ff,GREEN#006600,VIOLET#ff00ffYLegend[memfree-<ROUTER_SHORT_NAME>]: BytesShortLegend[memfree-<ROUTER_SHORT_NAME>]: byteLegend1[memfree-<ROUTER_SHORT_NAME>]: Bytes from the memory pool that are unusedLegend2[memfree-<ROUTER_SHORT_NAME>]: Largest block (contigious bytes) of free memoryLegendI[memfree-<ROUTER_SHORT_NAME>]: freeBytes:LegendO[memfree-<ROUTER_SHORT_NAME>]: largestBlock:
Concept: November 24, 2002 113
Configuration Log Expect
107
A.6 Expect
rtr3
#!/usr/pkg/bin/expect --## $Id: rtr3,v 1.3 2002/09/30 18:21:50 markus Exp $## Connect to a Cisco/Zebra/Unix box and execute one or multiple commands# Cisco: A box prompting "Username:" is considered a Cisco router.# Logon uses username/password/enable_password# Zebra: A box prompting "Password:" is considered a Zebra router# or a Cisco router without username.# Logon uses password/enable_password# Unix: A box prompting "login:" is considered a Unix machine.# Login uses username/password/root_password## Syntax: rtr3 <router> [<cli_command> [: <cli_command>]]## Implicit: username/password tupel for any router is defined in this script# empty command string connects to the router interactively## Caveats: (1) Passing command flags to Unix boxes does not work.# (2) Script does not work with pre-authenticated access such as Kerberos.# (3) Script requires prompts containing the character > in# unpriviledged mode and prompts containing the character # in# priviledged mode.
# Set default valuesset cisco_username adminset cisco_password geheimset cisco_enable_password strenggeheimset unix_username adminset unix_password geheimset unix_root_password strenggeheimset zebra_password geheimset zebra_enable_password strenggeheim
# Redefine defaults with user specific valuesif [file exists ~/.rtr3] {
source ~/.rtr3} else {
puts "ERROR: ~/.rtr3 does not exist"puts "Default username and passwords are most likely not suitable for your network."puts ""puts "~/.rtr3 format:"puts "set cisco_username <username>"puts "set cisco_password <password>"puts "set cisco_enable_password <password>"
Concept: November 24, 2002 114
Configuration Log Expect
108
puts "set unix_username <username>"puts "set unix_password <password>"puts "set unix_root_password <password>"puts "set zebra_password <password>"puts "set zebra_enable_password <password>"exit 1
}
## Procedure execute_command#proc execute_command {command_string remote_box} {
if {$command_string == "INTERACTIVE"} {interactexit 0
} else {# Give a command up to 5 min. to completeset timeout 300
switch -- $remote_box {"CISCO" {
send "term leng 0\r"expect "#" {} default { puts "Error. Giving up."; exit 1 }
}"ZEBRA" {
send "term leng 0\r"expect "#" {} default { puts "Error. Giving up."; exit 1 }
}default {}
}
foreach element $command_string {if {$element == ":"} {
send \rexpect "#" {} default { puts "Error. Giving up."; exit 1 }
} else {send "$element "
} ;# closes if} ;# closes foreachsend \r;expect "#" {} default { puts "Error. Giving up."; exit 1 }
exit 0}}## End of procedure execute_command#
Concept: November 24, 2002 115
Configuration Log Expect
109
## Procedure logon_cisco## Telnet returned a "Username:" prompt => assuming remote box is Ciscoproc logon_cisco {username password enable_password command remote_box} {
send "$username\r"expect "Password:" {} default { puts "Error. Giving up."; exit 1 }send "$password\r"expect {
">" {}"% Authentication failed." { exit 1 }default { puts "Error. Giving up."; exit 1 }}
send "enable\r"expect "Password:" {} default { puts "Error. Giving up."; exit 1 }send "$enable_password\r"expect {
"#" {execute_command $command $remote_box; return}"Access denied" {exit 1}default { puts "Error. Giving up."; exit 1 }}
}## End of procedure logon_cisco#
## Procedure logon_zebra## Telnet returned a "Password:" prompt => assuming remote box is Zebraproc logon_zebra {password enable_password command remote_box} {
send "$password\r"expect {
">" {}"Authentication failed" { exit 1 }default { puts "Error. Giving up."; exit 1 }}
send "enable\r"expect "Password:" {} default { exit 1 }send "$enable_password\r"expect {
"#" {execute_command $command $remote_box; return}"Access denied" {exit 1}default { puts "Error. Giving up."; exit 1 }}
}#
Concept: November 24, 2002 116
Configuration Log Expect
110
# End of procedure logon_zebra#
## Procedure logon_unix## Telnet returned a "login:" prompt => assuming remote box is NetBSDproc logon_unix {username password root_password command remote_box} {
send "$username\r"expect "Password:" {} default { exit 1 }send "$password\r"expect {
">" {}"Login incorrect" { exit 1 }default { puts "Error. Giving up."; exit 1 }}
send "su -\r"expect "Password:" {} default { puts "Error. Giving up."; exit 1 }send "$root_password\r"expect {
"#" {execute_command $command $remote_box; return}"Sorry" {exit 1}default { puts "Error. Giving up."; exit 1 }}
}## End of procedure logon_unix#
########## ########## ########## ########## ########## ########## ############ Main procedure#
# check argumentsif {[llength $argv] == 0} {
puts "Connect to a Cisco/Zebra/Unix box and execute one or multiple commands"puts " "puts "Syntax: rtr3 \<router\> \[\<command string\> \[ : \<command string\>\]\]"puts ""puts "Example:"puts "rtr3 zebrabox:2604 show ip ospf neigh : show ip ospf database"puts "rtr3 ciscobox conf t : int eth 0 : shutdown"puts "rtr3 unixbox ifconfig de0 : ifconfig ep1 : cat /etc/gated.conf"puts ""puts "Implicit:"puts "Username/password/enable_password of targets must be defined in ~/.rtr3"puts "Empty command string connects to the router interactively"
Concept: November 24, 2002 117
Configuration Log Expect
111
puts ""puts "Caveats:"puts "(1) Passing command flags to Unix boxes does not work."puts "(2) Script does not work with pre-authenticated access such as Kerberos."puts "(3) Script requires prompts containing the character > in"puts " unpriviledged mode and prompts containing the character # in"puts " priviledged mode."exit 1
}
# If we reach this point an argument was passed to the script.# Lets see what we have.set i 0set j 0set router ""set command ""set element ""set remote_box "UNKNOWN"
foreach element $argv {incr iif {$i == 1} {
set j [string first ":" $element]if {$j == -1} {# no port number givenset router $element
} else {# port number givenregsub ":" $element " " router
}} else {
set command "$command$element "}
}
if {$command == ""} {set command "INTERACTIVE"
}
# The variables $router and $command store now the router name and command string# $command contains INTERACTIVE if no command string was specified
# Login to the router and switch to enable modeset timeout 10spawn /bin/sh -c "exec telnet $router"
expect {"Username:" { set remote_box "CISCO"
logon_cisco $cisco_username $cisco_password $cisco_enable_password $command $remote_box
Concept: November 24, 2002 118
Configuration Log Expect
112
}"Password:" { set remote_box "ZEBRA"
logon_zebra $zebra_password $zebra_enable_password $command $remote_box}
"login:" { set remote_box "UNIX"logon_unix $unix_username $unix_password $unix_root_password $command $remote_box}
default { puts "Error telnetting to $router. Giving up."exit 1 }
}
exit 0
## End of main procedure########### ########## ########## ########## ########## ########## ##########
Concept: November 24, 2002 119
113
B Problem and Resolution Log
B.1 2002-09-00 - Installing NetBSD on SGI Indy
B.1.1 Status: SOLVED
B.1.2 Symptom
On a head-less Indy pressing the Escape key does not bring the machine into PROM mode.
B.1.3 Analysis
Von: Rafal Boni <[email protected]>Datum: Die, 10. Sep. 2002 20:43:00 Europe/BerlinAn: Markus Boeing <[email protected]>Betreff: Re: Q: Headless Indy, How to go into PROM monitor
In message <[email protected]>, you write:
-> Hi Rafal,->-> thanks for your reply.->-> Well, the serial console works ok I think (I’m using <Mac modem-> cable>-<null modem>-<straight Cisco console cable>). I can see messages-> during the boot up on the terminal. I just don’t know how to get the PROM-> mode, pressing ESC on the serial console doesn’t help.
First, if your keyboard plugged in? If so, unplug it.... You should thenat least get messages on the serial console about the KB being unavailableand it falling back to serial console...
Second of all, I think you should be able to press any key to interruptthe boot if you hit it in the right period of a couple of seconds. Ifyou *are* getting messages on the console, it might be interesting topaste (or paraphrase) what you see... There are cases (ie, a bad SCSIdisk, etc.) where the PROM can hang for quite a while and not respondto input *before* it offers you a choice of doing anything (esp. ifit’s attempting to do the diagnostics).
(All my SGI’s are in storage right now, or I’d give you better clues 8-)
Concept: November 24, 2002 120
Problem and Resolution Log 2002-09-00 - Installing NetBSD on SGI Indy
114
--rafal
----Rafal Boni [email protected] are all worms. But I do believe I am a glowworm. -- Winston Churchill
Von: Steve Rikli <[email protected]>Datum: Die, 10. Sep. 2002 21:08:17 Europe/BerlinAn: [email protected] (Markus Boeing)Betreff: Re: Q: Headless Indy, How to go into PROM monitor
=?ISO-8859-1?Q?Markus_B=F6ing?= wrote:>>may I ask a very basic question regarding SGI Indy operation?>>I recently acquired an Indy w/o monitor that I would like to use with>NetBSD as a lab server. My problem is that I am running the box headless>and I cannot get it into PROM mode. I can see the request to press ESC>during boot up but it seems that I cannot force the box into PROM from the>serial console. Any ideas how to do that? BTW I cannot access the box once>it booted up. It responds neither to serial console nor to telnet. Most>probably the operating system is screwed up badly.
Possibly a serial cable pinout problem? E.g. maybe you have the "TX"and "RX" pins talking to the corresponding "TX" and "RX" rather thanvisa versa? (ie. pins 2 and 3 are flipped the wrong way?)
The way it’s _supposed_ to work (in theory ;-) ) is very much like Sunhardware, if you’re familiar at all with that. That is, unplug thekeyboard, plug in the serial console cable (should be a round "din-8"connector on Indy) and hit <esc> to interrupt the bootup.
After that you should see a prompt which looks like ">>" -- that’s theIRIX PROM.
cheers,sr.--|| Steve Rikli ||| When I was younger, I made it a rule |||| Systems Administrator ||| never to take strong drink before lunch.|||| ||| It is now my rule never to do so before |||| [email protected] ||| breakfast. - Winston Churchill ||
B.1.4 Solution
Replaced console cable. I am using [Indy serial port 1]-[Mac modem cable (DB25)]-[null modem]-[CiscoDB25-to-RJ45 plug (Terminal)]-[Cisco RJ45-to-RJ45 console cable (roll-over cable)]-[DEC VT510].
Concept: November 24, 2002 121
Problem and Resolution Log 2002-09-00 - Installing NetBSD on SGI Indy
115
B.1.5 Symptom
Using PROM to boot a kernel from a TFTP server produces ”wrong magic number” error messagesbut does not boot the kernel.
B.1.6 Analysis
Symptom is described in in the NetBSD/sgimips FAQ (http://www.netbsd.org/Ports/sgimips/faq.html):“Another old PROM issue – old PROMs don’t understand ELF, so you may need an ECOFF kernel.”
B.1.7 Solution
Booting an uncompressed ECOFF kernel fixed the problem (booting a gzipped ECOFF kernel producedthe same ”wrong magic number” messages).
B.1.8 Symptom
Using PROM to boot a kernel from a TFTP server starts but then times out with error message ”nosuch device”.
B.1.9 Analysis
Von: Rafal Boni <[email protected]>Datum: Mit, 11. Sep. 2002 21:56:20 Europe/BerlinAn: Markus Boeing <[email protected]>Kopie: [email protected]: Re: Q: Netbooting installation kernel fails on INDY
In message <[email protected]>, you write:
-> Ladies and Gents,->-> I have yet another question regarding NetBSD installation on Indy:->-> I am using the files from the 200209080000 directory on releng.netbsd.org.->-> I have set up a server (NetBSD/alpha with DHCP client entry for the Indy,-> TFTP enabled and boot kernel in /tftpboot/netbsd) with kernel-> netbsd-INDY_INSTALL.ecoff. The Indy root directory holds the contents of-> installation/netboot/diskimage.gz.
Your Indy probably should be fine with the ELF version, but that’s notthe issue here...
Concept: November 24, 2002 122
Problem and Resolution Log 2002-09-00 - Installing NetBSD on SGI Indy
116
-> I am booting the Indy from PROM:->-> >>boot -f bootp():/netbsd/netbsd-INDY_INSTALL.ecoff-> Setting $netaddr to 172.16.254.20 (from server 172.16.254.2)-> Obtaining /netbsd/netbsd-INDY_INSTALL.ecoff from server 172.16.254.2-> 5876528-> Cannot load bootp():/netbsd/netbsd-INDY_INSTALL.ecoff.-> Error reading text section: cnt=0xc0, expected 0x59ab30.-> Unable to load bootp():/netbsd/netbsd-INDY_INSTALL.ecoff: no such device.->-> The whole process takes a couple of minutes.
Please check the FAQ (at http://www.netbsd.org/Ports/sgimips/faq.html), esp.the following link: http://www.netbsd.org/Ports/sgimips/faq.html#prom-tftp-client-failing
The problem is most likely the Indy’s PROM getting confused by the returnedTFTP packets and timing out the transfer.
--rafal
----Rafal Boni [email protected] are all worms. But I do believe I am a glowworm. -- Winston Churchill
B.1.10 Solution
Modifying the TFTP setting on the server (NetBSD/alpha) fixed the problem (sysctl -w net.inet.ip.anonportmin=20000,sysctl -w net.inet.ip.anonportmax=32767).
Concept: November 24, 2002 123
Problem and Resolution Log 2001-10-06 - GateD: No IP forwarding
117
B.2 2001-10-06 - GateD: No IP forwarding
B.2.1 Status: SOLVED
B.2.2 Symptom
GateD complains about missing support for IP forwarding during startup. This happens under NetBSDv1.5/i386 and NetBSD v1.5.2/Alpha.
B.2.3 Analysis
The GENERIC kernel of NetBSD does no have IP forwarding enabled be default. This could be verifiedusing the command sysctl net.inet.ip.forwarding. In oder to use routing software on a NetBSDmachine IP forwarding must be enabled.
B.2.4 Solution
There are two options to solve the problem:
• Compile a new kernel with IP forwarding enabled by default.
• Add the statement sysctl -w net.inet.ip.forwarding=1 to the file /etc/rc.local.
The second approach has been implemented.
Concept: November 24, 2002 124
Problem and Resolution Log 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency
118
B.3 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency
B.3.1 Status: SOLVED
B.3.2 Symptom
List: zebraSubject: [zebra 10698] Q: OSPF is not establishing adjacencyFrom: Markus Boeing <[email protected]>Date: 2001-10-04 18:49:19[Download message RAW]
Ladies and Gents,
may I ask for your help regarding Zebra and OSPF?
I am setting up a small lab using Cisco routers, GateD and Zebra. So far Iwas unable to get Zebra’s OSPF up.
I am using Zebra v0.91a on NetBSD 1.5/i386 (installed from packagedistribution) but I could observe the same behavior with Zebra v0.92acompiled from source.
The lab topology is pretty simple, two Cisco routers and the Zebra boxshare a LAN (IPv4: 192.168.16.0/27; .1 and .2 are Cisco boxes; .3 is Zebra).BTW The Zebra box has only one interface but that is ok. I want to useit as BGP route reflector server later on.
What happens now is that the Zebra box receives Hellos from the Cisco’sbut itself is not sending Hellos. Therefor bidirectional communicationcannot be established and an adjacency will not be formed. The Cisco boxesuse their LAN interface for router id (=> They are in a connected network,no routing is involved to get to it.). The configuration of the Ciscoboxes should be fine because they play nicely with each other andGateD/OSPF.
Observation:- Debug on the Cisco boxes does not show Hello packets emitted from theZebra box.
- Debug on the Zebra box shows incoming Hello packets (HelloRecived,1-WayReceived) and "sendto in ospf_write failed with No route to host".
Theory:- I misconfigured Zebra.
Concept: November 24, 2002 125
Problem and Resolution Log 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency
119
Here is my ospfd.conf+---hostname Gamma(ospfd)password 1q2w3e4renable password 1q2w3e4r!interface ne2
ip ospf network broadcast!router ospf
network 192.168.16.3/27 area 0 ! mask should match "ifconfig netmask"ospf router-id 192.168.16.3ospf abr-type cisco ! probably uselessarea 0 range 192.168.16.0/24
!log file /var/log/zebra/ospfd.log+---
+---root@gamma# ifconfig ne2ne2: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (10baseT)inet 192.168.16.3 netmask 0xffffffe0 broadcast 192.168.16.31inet6 fe80::2e0:7dff:fe95:9450%ne2 prefixlen 64 scopeid 0x1
root@gamma#+---
Here is some output from debug on Zebra:+---2001/10/04 19:33:10 OSPF: NSM[ne2:192.168.16.2]: Init (HelloReceived)2001/10/04 19:33:10 OSPF: NSM[ne2:192.168.16.2]: nsm_ignore called2001/10/04 19:33:10 OSPF: NSM[ne2:192.168.16.2]: Init (1-WayReceived)2001/10/04 19:33:17 OSPF: make_hello: options: 2, int: ne22001/10/04 19:33:17 OSPF: *** sendto in ospf_write failed with No route tohost2001/10/04 19:33:20 OSPF: Packet 192.168.16.2 [Hello:RECV]: Options*|*|-|-|-|-|E|*2001/10/04 19:33:20 OSPF: NSM[ne2:192.168.16.2]: Init (HelloReceived)2001/10/04 19:33:20 OSPF: NSM[ne2:192.168.16.2]: nsm_ignore called2001/10/04 19:33:20 OSPF: NSM[ne2:192.168.16.2]: Init (1-WayReceived)2001/10/04 19:33:27 OSPF: make_hello: options: 2, int: ne22001/10/04 19:33:27 OSPF: *** sendto in ospf_write failed with No route tohost2001/10/04 19:33:30 OSPF: Packet 192.168.16.2 [Hello:RECV]: Options*|*|-|-|-|-|E|*+---
Help and comments are greatly appreciated.
Concept: November 24, 2002 126
Problem and Resolution Log 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency
120
TIA
/Markus.
+---Markus A. Boeingmailto://[email protected]://www.boeing-online.de+---"Fr den Mann, der nicht wei, wohin es ihn treibt, gibt es keinengnstigen Wind." Seneca
B.3.3 Analysis
List: zebraSubject: [zebra 10712] RE: Q: OSPF is not establishing adjacencyFrom: "Frank Dauer" <[email protected]>Date: 2001-10-05 8:20:27[Download message RAW]
Hello,
> - Debug on the Zebra box shows incoming Hello packets (HelloRecived,> 1-WayReceived) and "sendto in ospf_write failed with No> route to host".
The ospfd does not know where to send his (multicast) packets to.
A friend of mine has had a similar problem with FreeBSD. Try addinga loopback route for 224. (i.e., route add 224 127.0.0.1).
Bye,
Frank
List: zebraSubject: [zebra 10719] Re: Q: OSPF is not establishing adjacencyFrom: Jasper Wallace <[email protected]>Date: 2001-10-05 11:07:02[Download message RAW]
On Thu, 4 Oct 2001, Markus Bing wrote:
> Ladies and Gents,>> may I ask for your help regarding Zebra and OSPF?>> I am setting up a small lab using Cisco routers, GateD and Zebra. So far I> was unable to get Zebra’s OSPF up.
Concept: November 24, 2002 127
Problem and Resolution Log 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency
121
>> I am using Zebra v0.91a on NetBSD 1.5/i386 (installed from package> distribution) but I could observe the same behavior with Zebra v0.92a> compiled from source.
0.92a is in the latest version of pkgsrc.
> Observation:> - Debug on the Cisco boxes does not show Hello packets emitted from the> Zebra box.> - Debug on the Zebra box shows incoming Hello packets (HelloRecived,> 1-WayReceived) and "sendto in ospf_write failed with No route to host".
zebra dosn’t quite understand the way multicats works on the BSD’s - youneed to add something like:
!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ip route 224.0.0.9/32 127.0.0.1!
near the end of zebra.conf. (ok, so the last one is for RIP, but it dosn’thurt).
> Theory:> - I misconfigured Zebra.
--Internet Vision Internet Consultancy Tel: 020 7589 450060 Albert Court & Web development Fax: 020 7589 4522Prince Consort Road [email protected] SW7 2BE http://www.ivision.co.uk/
List: zebraSubject: [zebra 10726] Re: Q: OSPF is not establishing adjacencyFrom: [email protected]: 2001-10-05 16:28:34[Download message RAW]
On 4 Oct 2001 at 20:49, Markus Bing wrote:
> Observation:> - Debug on the Cisco boxes does not show Hello packets emitted from> the Zebra box. - Debug on the Zebra box shows incoming Hello packets> (HelloRecived, 1-WayReceived) and "sendto in ospf_write failed with> No route to host".
This is a bug in Zebra and/or BSD. The kernel in BSD tries to do a routelookup on the multicast destination 224.0.0.5 (AllSPFROuters), which
Concept: November 24, 2002 128
Problem and Resolution Log 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency
122
fails if there is no default-route or other route to a prefix coveringthat address.
I believe old gated installs the needed dummy route in order to avoidthis problem, which Zebra also should do IMHO.
I recently saw a suggested modification to FreeBSD kernel - if theoutput interface is indicated and the packet type is multicast in thecall to ip_output() then just send the packet and ignore the routingtable - in order to avoid this and similar multicast-related problemswhen the system lacks a default route.
I don’t know it if has been implemented for future FreeBSD kernels, buteven if it has it will take some time I guess before all flavors of BSDsupports it and has been upgraded out there. Which means that we areback to a Zebra modification. So far I dont know if any of the Zebrapeople has responded to this issue and if it is a planned modification?--Fredrik NymanPacketFront Sweden ABhttp://www.packetfront.com/
List: zebraSubject: [zebra 10733] Re: Q: OSPF is not establishing adjacencyFrom: "Daniel C. Sobral" <[email protected]>Date: 2001-10-05 19:45:21[Download message RAW]
[email protected] wrote:
>> This is a bug in Zebra and/or BSD. The kernel in BSD tries to do a route> lookup on the multicast destination 224.0.0.5 (AllSPFROuters), which> fails if there is no default-route or other route to a prefix covering> that address.
According to the Multicast RFC, the bug is in the BSD kernel. Alas, afaikall ip stacks out there had this problem at some point. It was just BSDtaking longer to fix this.
Alas, the patch was in for FreeBSD-current for quite a while, and I havejust committed it on FreeBSD-stable (I was waiting 4.4 to come out, as Ididn’t want to commit something like this close to code freeze date).
--Daniel C. Sobral (8-DCS)[email protected]@[email protected]@notorious.bsdconspiracy.net
Concept: November 24, 2002 129
Problem and Resolution Log 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency
123
TRUTHFUL:Dumb and illiterate.
B.3.4 Solution
Added static routes for the multicast addresses 224.0.0.5 (AllSPFRouters) and 224.0.0.6 (AllDRouters)to zebra.conf.
Concept: November 24, 2002 130
Problem and Resolution Log 2001-03-17 - RADIUS on DEC Alpha running NetBSD
124
B.4 2001-03-17 - RADIUS on DEC Alpha running NetBSD
B.4.1 Status: OPEN
B.4.2 Symptom
During the course of this endeavor I acquired a new machine (Tigerente). Tigerente is a DECAlphaStation 200 running the NetBSD 1.5/alpha operating system. My intent was/is to use thismachine to provide all network-centric servcies such as DNS, NTP, FTP, HTTP and others. As oftoday10 Tigerente is the primary provider of DNS, NTP, FTP, TFTP and HTTP services.
My attempt to provide AAA services through node Tigerente has not yet been successful. I installedCistron RADIUS v1.6.4 (build from source) but could not get it working. I de-installed Cistron andinstalled Merit AAA v3.6B (NetBSD 1.5-alpha package) instead but could not get it working either.I installed TACACS (NetBSD 1.5-alpha package) but to my surprise it would work as well as the twoRADIUSes. In every case authentication failed with messages complaining about mismatching keys.
I am pretty confident that the configurations (and the keys) are correct. I have not even a vague ideaabout the cause of this. Further research is required. :) For the moment node Fruchtzwerg (iMacrunning MacOS X) is providing RADIUS services.
B.4.3 Analysis
Merit AAA: output from ”debug radius” on the router and the ”-x” output from radiusd
This is a login attemt to the router using an account/password tuple in /etc/passwd:
Beta#deb radiusRadius protocol debugging is onBeta#term moniBeta#! This is using account markus, should be using /etc/passwdJun 24 14:12:37.007: RADIUS: ustruct sharecount=1Jun 24 14:12:37.011: Radius: radius_port_info() success=1 radius_nas_port=1Jun 24 14:12:37.019: RADIUS: Initial Transmit tty3 id 3 192.168.16.201:1812, Access-Request, len 80Jun 24 14:12:37.019: Attribute 4 6 C0A82002Jun 24 14:12:37.023: Attribute 5 6 00000003Jun 24 14:12:37.023: Attribute 61 6 00000005Jun 24 14:12:37.027: Attribute 1 8 6D61726BJun 24 14:12:37.027: Attribute 31 16 3139322EJun 24 14:12:37.031: Attribute 2 18 7932B486Jun 24 14:12:37.071: RADIUS: Received from id 3 192.168.16.201:1812, Access-Reject, len 135Jun 24 14:12:37.075: Attribute 4 6 C0A82002Jun 24 14:12:37.075: Attribute 5 6 00000003
17-March-200110
Concept: November 24, 2002 131
Problem and Resolution Log 2001-03-17 - RADIUS on DEC Alpha running NetBSD
125
Jun 24 14:12:37.079: Attribute 61 6 00000005Jun 24 14:12:37.079: Attribute 1 8 6D61726BJun 24 14:12:37.083: Attribute 31 16 3139322EJun 24 14:12:37.083: Attribute 2 18 7932B486Jun 24 14:12:37.087: Attribute 222 8 6D61726BJun 24 14:12:37.087: Attribute 32 16 62657461Jun 24 14:12:37.091: Attribute 11 7 756E6C69Jun 24 14:12:37.091: Attribute 18 24 41757468Jun 24 14:12:37.095: RADIUS: Response (3) failed decryptJun 24 14:12:37.099: RADIUS: Reply for 3 fails decrypt
And this is what radius.debug thinks about it:
Program = radiusdNAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "markus" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "y2\0xb4\0x86\n~xS\0xc5h\0x1f;\0xd3\0x8f\0xdd\0xdd" [flags = 0x00004500]
get_radrequest: Request from c0a82002 (beta.brest.lab[1645]) access, id = 3, len = 80unix_pass: ID = ’markus’unix_pass: encrypted passwords do not match
NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "markus" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "y2\0xb4\0x86\n~xS\0xc5h\0x1f;\0xd3\0x8f\0xdd\0xdd" [flags = 0x00004500]User-Id = "markus" [flags = 0x00000400]NAS-Identifier = "beta.brest.lab" [flags = 0x00004500]Filter-Id = "unlim" [flags = 0x00004400]Reply-Message = "Authentication failure" [flags = 0x00004000]
send_reply: Authentication: 3/0 ’markus’ from beta.brest.lab port 3
This is a login attempt to the router using an account/password tuple in ”users”:
Beta#Beta#! This is using account labdog - should be using password from the file usersBeta#Jun 24 14:19:30.744: RADIUS: ustruct sharecount=1Jun 24 14:19:30.744: Radius: radius_port_info() success=1 radius_nas_port=1Jun 24 14:19:30.752: RADIUS: Initial Transmit tty3 id 4 192.168.16.201:1812, Access-Request, len 80Jun 24 14:19:30.756: Attribute 4 6 C0A82002Jun 24 14:19:30.756: Attribute 5 6 00000003Jun 24 14:19:30.760: Attribute 61 6 00000005Jun 24 14:19:30.760: Attribute 1 8 6C616264Jun 24 14:19:30.764: Attribute 31 16 3139322EJun 24 14:19:30.764: Attribute 2 18 520EB2B4Jun 24 14:19:30.777: RADIUS: Received from id 4 192.168.16.201:1812, Access-Reject, len 135
Concept: November 24, 2002 132
Problem and Resolution Log 2001-03-17 - RADIUS on DEC Alpha running NetBSD
126
Jun 24 14:19:30.781: Attribute 4 6 C0A82002Jun 24 14:19:30.781: Attribute 5 6 00000003Jun 24 14:19:30.785: Attribute 61 6 00000005Jun 24 14:19:30.785: Attribute 1 8 6C616264Jun 24 14:19:30.789: Attribute 31 16 3139322EJun 24 14:19:30.789: Attribute 2 18 520EB2B4Jun 24 14:19:30.793: Attribute 222 8 6C616264Jun 24 14:19:30.793: Attribute 32 16 62657461Jun 24 14:19:30.797: Attribute 11 7 756E6C69Jun 24 14:19:30.797: Attribute 18 24 41757468Jun 24 14:19:30.801: RADIUS: Response (4) failed decryptJun 24 14:19:30.805: RADIUS: Reply for 4 fails decrypt
And here is radius.debug again:
NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "labdog" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "R\0x0e\0xb2\0xb4\0x82\0xd42&\0x0b-\0x1a\0x9c\0xb6\0x01R\0xc7" [flags = 0x00004500]
get_radrequest: Request from c0a82002 (beta.brest.lab[1645]) access, id = 4, len = 80NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "labdog" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "R\0x0e\0xb2\0xb4\0x82\0xd42&\0x0b-\0x1a\0x9c\0xb6\0x01R\0xc7" [flags = 0x00004500]User-Id = "labdog" [flags = 0x00000400]NAS-Identifier = "beta.brest.lab" [flags = 0x00004500]Filter-Id = "unlim" [flags = 0x00004400]Reply-Message = "Authentication failure" [flags = 0x00004000]
send_reply: Authentication: 4/1 ’labdog’ from beta.brest.lab port 3
B.4.4 Solution
None.
Concept: November 24, 2002 133
127
C Activity Log
C.1 How to add IPv6 to the Lab Network
We assume that the static lab is configured correctly for IPv4 already. The following steps will thenimplement the IPv6 architecture described above.
C.1.1 Configure Route Reflectors
In the first step we configure Anchor and Dinghy as BGP route reflectors.
Enable IPv6 on Anchor and Dinghy
Add the following lines to /etc/rc.conf to enable IPv6 on Anchor (NetBSD/alpha 1.6) and Dinghy(NetBSD/sgimips 1.6).
Anchor
# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or routerip6sitelocal=YES # IPv6 sitelocal addrsrtadvd=YES rtadvd_flags="tlp0"rtsol=NO rtsol_flags="-a" # for ip6mode=autohost only
Dinghy
# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip6.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or routerip6sitelocal=YES # IPv6 sitelocal addrsrtadvd=YES rtadvd_flags="sq0"rtsol=NO rtsol_flags="-a" # for ip6mode=autohost only
Add the following lines to /etc/rc.local to enable IPv6 forwarding on Anchor and Dinghy.
Anchor
Concept: November 24, 2002 134
Activity Log How to add IPv6 to the Lab Network
128
# Enable IPv6 forwardingsysctl -w net.inet6.ip6.forwarding=1
Dinghy
# Enable IPv6 forwardingsysctl -w net.inet6.ip6.forwarding=1
Configure IPv6 Addresses on Ethernet and Loopback Interfaces
Edit the file /etc/ifconfig.<interface> to configure an interface permanently on NetBSD.
Anchor
[email protected]# cat /etc/ifconfig.lo0inet6 fefe::a prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.tlp0up172.16.254.2 netmask 0xffffff00 media 10baseTinet6 fefe:a::1 prefixlen 64 [email protected]#
Dinghy
[email protected]# cat /etc/ifconfig.lo0inet6 fefe::d prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.sq0up172.16.255.2 netmask 0xffffff00inet6 fefe:d::1 prefixlen 64 [email protected]#
Create Tunnel between Anchor and Dinghy
Create the following files to configure the tunnel between Anchor and Dinghy.
Anchor
[email protected]# cat ifconfig.gif0createtunnel 172.16.254.2 172.16.255.2inet6 fefe:bb::1 prefixlen 126 [email protected]#
Dinghy
[email protected]# cat /etc/ifconfig.gif0createtunnel 172.16.255.2 172.16.254.2inet6 fefe:bb::2 prefixlen 126 [email protected]#
Concept: November 24, 2002 135
Activity Log How to add IPv6 to the Lab Network
129
Reboot the machines and check the tunnel.
Anchor
[email protected]# ifconfig gif0gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 172.16.254.2 --> 172.16.255.2inet6 fe80::200:f8ff:fe20:5a6e%gif0 -> :: prefixlen 64 scopeid 0xc
[email protected]#[email protected]# ping6 -c 5 ff02::1%gif0PING6(64=40+8+16 bytes) fe80::200:f8ff:fe20:5a6e%gif0 --> ff02::1%gif024 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=0 hlim=64 time=1.234 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=0 hlim=64 time=9.155 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=1 hlim=64 time=0.782 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=1 hlim=64 time=8.779 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=2 hlim=64 time=1.212 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=2 hlim=64 time=9.161 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=3 hlim=64 time=0.726 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=3 hlim=64 time=8.785 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=4 hlim=64 time=0.726 ms
--- ff02::1%gif0 ping6 statistics ---5 packets transmitted, 5 packets received, +4 duplicates, 0% packet lossround-trip min/avg/max/std-dev = 0.726/4.507/9.161/3.998 [email protected]#
Dinghy
[email protected]# ifconfig gif0gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 172.16.255.2 --> 172.16.254.2inet6 fe80::a00:69ff:fe06:d6ce%gif0 -> :: prefixlen 64 scopeid 0x9
[email protected]#[email protected]# ping6 -c5 ff02::1%gif0PING6(56=40+8+8 bytes) fe80::a00:69ff:fe06:d6ce%gif0 --> ff02::1%gif016 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=0 hlim=64 time=1.16 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=0 hlim=64 time=10.059 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=1 hlim=64 time=0.91 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=1 hlim=64 time=8.667 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=2 hlim=64 time=0.921 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=2 hlim=64 time=8.335 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=3 hlim=64 time=0.926 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=3 hlim=64 time=8.489 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=4 hlim=64 time=0.92 ms
--- ff02::1%gif0 ping6 statistics ---5 packets transmitted, 5 packets received, +4 duplicates, 0% packet lossround-trip min/avg/max/std-dev = 0.910/4.487/10.059/3.963 [email protected]#
Concept: November 24, 2002 136
Activity Log How to add IPv6 to the Lab Network
130
See the DUPs? Thats good news because it shows us that the other end of the tunnel is responding aswell. Which implies that the tunnel is up and running. Please note that we do not have IPv6 addressesexplicitly configured on the tunnel. We are using ‘link local addresses’.
Configure iBGP between Anchor and Dinghy
We use loopback addresses for BGP peering purposes. In order to make these addresses reachable tothe remote node we must add static routes to /etc/zebra.conf.
Anchor
[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::d/128 [email protected]#[email protected]# ping6 -c5 fefe::dPING6(64=40+8+16 bytes) fefe::a --> fefe::d24 bytes from fefe::d, icmp_seq=0 hlim=64 time=9.053 ms24 bytes from fefe::d, icmp_seq=1 hlim=64 time=8.439 ms24 bytes from fefe::d, icmp_seq=2 hlim=64 time=8.495 ms24 bytes from fefe::d, icmp_seq=3 hlim=64 time=14.207 ms24 bytes from fefe::d, icmp_seq=4 hlim=64 time=8.51 ms
--- fefe::d ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.439/9.741/14.207/2.244 [email protected]#
Dinghy
[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::a/128 [email protected]#[email protected]# ping6 -c 5 fefe::aPING6(56=40+8+8 bytes) fefe::d --> fefe::a16 bytes from fefe::a, icmp_seq=0 hlim=64 time=9.642 ms16 bytes from fefe::a, icmp_seq=1 hlim=64 time=8.435 ms16 bytes from fefe::a, icmp_seq=2 hlim=64 time=8.281 ms16 bytes from fefe::a, icmp_seq=3 hlim=64 time=8.319 ms16 bytes from fefe::a, icmp_seq=4 hlim=64 time=8.285 ms
--- fefe::a ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.281/8.592/9.642/0.528 [email protected]#
Now that the next-hop interface is reachable we can start to configure BGP. Did I already say thatzebra was compiled with --enable_multipath=4 on both boxes?
Anchor
Concept: November 24, 2002 137
Activity Log How to add IPv6 to the Lab Network
131
[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/09 16:31:43!hostname Anchor(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::d peer-group MESHexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::a!line [email protected]#
Dinghy
[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/10 11:41:53!hostname Dinghy(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectors
Concept: November 24, 2002 138
Activity Log How to add IPv6 to the Lab Network
132
neighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group MESHexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::d!line [email protected]#
Lets see if the configuration works properly.
Anchor
[email protected]# rtr3 anchor:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet anchor 2605Trying 172.16.254.2...Connected to anchor.brest.lab.Escape character is ’^]’.
Hello, this is zebra (version 0.93b).Copyright 1996-2002 Kunihiro Ishiguro.
User Access Verification
Password:Anchor(bgpd)> enablePassword:Anchor(bgpd)# term leng 0Anchor(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::d valid [IGP metric 0]BGP connected route:172.16.254.0/24fefe:a::/64Anchor(bgpd)# show ip bgp neigBGP neighbor is fefe::d, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.255.2BGP state = Established, up for 00:05:17
Concept: November 24, 2002 139
Activity Log How to add IPv6 to the Lab Network
133
Last read 00:00:17, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received
Received 9 messages, 0 notifications, 0 in queueSent 10 messages, 0 notifications, 0 in queueRoute refresh request: received 0, sent 0Minimum time between advertisement runs is 5 secondsUpdate source is lo0
For address family: IPv6 UnicastMESH peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes
Connections established 1; dropped 0Local host: fefe::a, Local port: 49157Foreign host: fefe::d, Foreign port: 179Nexthop: 172.16.254.2Nexthop global: fefe::aNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off
Anchor(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.254.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> fefe::a/128 :: 0 32768 ?*>ifefe::d/128 fefe::d 0 100 0 ?*> fefe:a::/64 :: 0 32768 ?*>ifefe:d::/64 fefe::d 0 100 0 ?
Total number of prefixes 4Anchor(bgpd)#[email protected]#[email protected]# ping6 -c5 fefe:d::1PING6(64=40+8+16 bytes) fefe:a::1 --> fefe:d::124 bytes from fefe:d::1, icmp_seq=0 hlim=64 time=8.975 ms24 bytes from fefe:d::1, icmp_seq=1 hlim=64 time=8.586 ms24 bytes from fefe:d::1, icmp_seq=2 hlim=64 time=8.338 ms24 bytes from fefe:d::1, icmp_seq=3 hlim=64 time=8.322 ms24 bytes from fefe:d::1, icmp_seq=4 hlim=64 time=8.705 ms
Concept: November 24, 2002 140
Activity Log How to add IPv6 to the Lab Network
134
--- fefe:d::1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.322/8.585/8.975/0.244 [email protected]#
Looks good to me.
Dinghy
[email protected]# rtr3 dinghy:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet dinghy 2605Trying 172.16.255.2...Connected to dinghy.brest.lab.Escape character is ’^]’.
Hello, this is zebra (version 0.93b).Copyright 1996-2002 Kunihiro Ishiguro.
User Access Verification
Password:Dinghy(bgpd)> enablePassword:Dinghy(bgpd)# term leng 0Dinghy(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::a valid [IGP metric 0]BGP connected route:172.16.255.0/24fefe:d::/64Dinghy(bgpd)# show ip bgp neigBGP neighbor is fefe::a, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.254.2BGP state = Established, up for 00:07:38Last read 00:00:38, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received
Received 31 messages, 0 notifications, 0 in queueSent 31 messages, 0 notifications, 0 in queueRoute refresh request: received 0, sent 0Minimum time between advertisement runs is 5 secondsUpdate source is lo0
For address family: IPv6 UnicastMESH peer-group memberNEXT_HOP is always this router
Concept: November 24, 2002 141
Activity Log How to add IPv6 to the Lab Network
135
Community attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes
Connections established 2; dropped 1Local host: fefe::d, Local port: 179Foreign host: fefe::a, Foreign port: 49157Nexthop: 172.16.255.2Nexthop global: fefe::dNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off
Dinghy(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.255.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*>ifefe::a/128 fefe::a 0 100 0 ?*> fefe::d/128 :: 0 32768 ?*>ifefe:a::/64 fefe::a 0 100 0 ?*> fefe:d::/64 :: 0 32768 ?
Total number of prefixes 4Dinghy(bgpd)#[email protected]#[email protected]# ping6 -c5 fefe:a::1PING6(56=40+8+8 bytes) fefe:d::1 --> fefe:a::116 bytes from fefe:a::1, icmp_seq=0 hlim=64 time=9.523 ms16 bytes from fefe:a::1, icmp_seq=1 hlim=64 time=15.738 ms16 bytes from fefe:a::1, icmp_seq=2 hlim=64 time=8.398 ms16 bytes from fefe:a::1, icmp_seq=3 hlim=64 time=15.604 ms16 bytes from fefe:a::1, icmp_seq=4 hlim=64 time=8.226 ms
--- fefe:a::1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.226/11.498/15.738/3.437 [email protected]#
Looks like we have got BGP working between Anchor and Dinghy. The next step would be adding edgerouter.
Concept: November 24, 2002 142
Activity Log How to add IPv6 to the Lab Network
136
C.1.2 Configure Cisco Edge Router
As a second step we will add an IPv6 edge router to our hub routers.
Enable IPv6 on Edge Router
Edge1
Edge1(config)#ipv6 unicast-routingEdge1(config)#Edge1(config)#interface loopback 0Edge1(config-if)#ipv6 address fefe::e1/128Edge1(config-if)#exitEdge1(config)#Edge1(config)#interface ethernet 0Edge1(config-if)#ipv6 address fefe:e1::1/64Edge1(config-if)#exit
Configure Tunnels
Edit the file /etc/ifconfig.gif1 to configure the tunnel interfaces permanently on Anchor andDinghy. Use the command ifconfig gif1 to configure the tunnel interfaces on the fly.
Anchor
[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.254.2 172.16.0.11inet6 [email protected]#
Dinghy
[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.255.2 172.16.0.11inet6 [email protected]#
Edge1
Edge1(config)#interface tunnel 0Edge1(config-if)#description IPv6 tunnel to router AnchorEdge1(config-if)#ipv6 enableEdge1(config-if)#tunnel source loopback 0Edge1(config-if)#tunnel destination 172.16.254.2Edge1(config-if)#tunnel mode ipv6ipEdge1(config-if)#exitEdge1(config)#Edge1(config)#interface tunnel 1
Concept: November 24, 2002 143
Activity Log How to add IPv6 to the Lab Network
137
Edge1(config-if)#description IPv6 tunnel to router DinghyEdge1(config-if)#ipv6 enableEdge1(config-if)#tunnel source loopback 0Edge1(config-if)#tunnel destination 172.16.255.2Edge1(config-if)#tunnel mode ipv6ipEdge1(config-if)#exit
Issue a wr mem command to save the configuration to the routers NVRAM.
Check if the tunnels are working.
Anchor
[email protected]# ping6 -c5 ff02::1%gif1PING6(64=40+8+16 bytes) fe80::200:f8ff:fe20:5a6e%gif1 --> ff02::1%gif124 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=0 hlim=64 time=1.3 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=0 hlim=64 time=7.116 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=1 hlim=64 time=0.688 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=1 hlim=64 time=6.541 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=2 hlim=64 time=0.718 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=2 hlim=64 time=6.741 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=3 hlim=64 time=0.648 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=3 hlim=64 time=6.641 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=4 hlim=64 time=0.687 ms
--- ff02::1%gif1 ping6 statistics ---5 packets transmitted, 5 packets received, +4 duplicates, 0% packet lossround-trip min/avg/max/std-dev = 0.648/3.453/7.116/2.967 [email protected]#
Dinghy
[email protected]# ping6 -c5 ff02::1%gif1PING6(56=40+8+8 bytes) fe80::a00:69ff:fe06:d6ce%gif1 --> ff02::1%gif116 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=0 hlim=64 time=1.182 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=0 hlim=64 time=11.309 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=1 hlim=64 time=0.898 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=1 hlim=64 time=7.95 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=2 hlim=64 time=0.883 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=2 hlim=64 time=7.638 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=3 hlim=64 time=0.926 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=3 hlim=64 time=7.866 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=4 hlim=64 time=0.895 ms
--- ff02::1%gif1 ping6 statistics ---5 packets transmitted, 5 packets received, +4 duplicates, 0% packet lossround-trip min/avg/max/std-dev = 0.883/4.394/11.309/3.975 [email protected]#
The DUPs indicate that a tunnel far end is responding and the tunnel is operational.
Edge1
Concept: November 24, 2002 144
Activity Log How to add IPv6 to the Lab Network
138
Edge1#show ipv6 int tun 0Tunnel0 is up, line protocol is upIPv6 is enabled, link-local address is FE80::AC10:BDescription: IPv6 tunnel to router AnchorNo global unicast address is configuredJoined group address(es):FF02::1FF02::2FF02::1:FF10:B
MTU is 1480 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsHosts use stateless autoconfig for addresses.
Edge1#Edge1#show ipv6 int tun 1Tunnel1 is up, line protocol is upIPv6 is enabled, link-local address is FE80::AC10:BDescription: IPv6 tunnel to router DinghyNo global unicast address is configuredJoined group address(es):FF02::1FF02::2FF02::1:FF10:B
MTU is 1480 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsHosts use stateless autoconfig for addresses.
Edge1#
Configure BGP on Route Reflectors
Add static routes the loopback interface of router Edge1.
Anchor
[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::d/128 gif0ipv6 route fefe::e1/128 [email protected]#
Dinghy
[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::a/128 gif0ipv6 route fefe::e1/128 [email protected]#
Concept: November 24, 2002 145
Activity Log How to add IPv6 to the Lab Network
139
Configure BGP, we add another peer group for route reflector clients.
Anchor
[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/09 23:42:47!hostname Anchor(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor CLIENTS peer-groupneighbor CLIENTS remote-as 65000neighbor CLIENTS description Route reflector clientsneighbor CLIENTS update-source lo0no neighbor CLIENTS activateneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor CLIENTS activateneighbor CLIENTS route-reflector-clientneighbor CLIENTS next-hop-selfneighbor CLIENTS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::d peer-group MESHneighbor fefe::e1 peer-group CLIENTSexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::a!line [email protected]#
Dinghy
Concept: November 24, 2002 146
Activity Log How to add IPv6 to the Lab Network
140
[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/10 18:51:24!hostname Dinghy(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor CLIENTS peer-groupneighbor CLIENTS remote-as 65000neighbor CLIENTS description Route reflector clientsneighbor CLIENTS update-source lo0no neighbor CLIENTS activateneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor CLIENTS activateneighbor CLIENTS route-reflector-clientneighbor CLIENTS next-hop-selfneighbor CLIENTS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group MESHneighbor fefe::e1 peer-group CLIENTSexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::d!line [email protected]#
Configure BGP on Cisco Edge Router
Edge1
router bgp 65000no synchronizationbgp log-neighbor-changes
Concept: November 24, 2002 147
Activity Log How to add IPv6 to the Lab Network
141
bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activateno auto-summary!address-family ipv6neighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS send-communityneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSno synchronizationredistribute connectedexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10description Set next hop to global IPv6 addr; default is using link local IPv6 addrset ipv6 next-hop fefe::e1!ipv6 route fefe::a/128 Tunnel0ipv6 route fefe::d/128 Tunnel1
Test Static Route and Tunnel
Anchor
[email protected]# ping6 -c5 fefe::e1PING6(64=40+8+16 bytes) fefe::a --> fefe::e124 bytes from fefe::e1, icmp_seq=0 hlim=64 time=12.081 ms24 bytes from fefe::e1, icmp_seq=1 hlim=64 time=11.709 ms24 bytes from fefe::e1, icmp_seq=2 hlim=64 time=12.496 ms24 bytes from fefe::e1, icmp_seq=3 hlim=64 time=11.671 ms24 bytes from fefe::e1, icmp_seq=4 hlim=64 time=12.852 ms
--- fefe::e1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 11.671/12.162/12.852/0.456 [email protected]#
Dinghy
[email protected]# ping6 -c5 fefe::e1PING6(56=40+8+8 bytes) fefe::d --> fefe::e116 bytes from fefe::e1, icmp_seq=0 hlim=64 time=8.727 ms16 bytes from fefe::e1, icmp_seq=1 hlim=64 time=8.33 ms16 bytes from fefe::e1, icmp_seq=2 hlim=64 time=8.438 ms
Concept: November 24, 2002 148
Activity Log How to add IPv6 to the Lab Network
142
16 bytes from fefe::e1, icmp_seq=3 hlim=64 time=8.398 ms16 bytes from fefe::e1, icmp_seq=4 hlim=64 time=8.379 ms
--- fefe::e1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.330/8.454/8.727/0.141 [email protected]#
Edge1
Edge1#ping fefe::a
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to FEFE::A, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/36 msEdge1#Edge1#ping fefe::d
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to FEFE::D, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msEdge1#
Check BGP
Anchor
[email protected]# rtr3 anchor:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet anchor 2605Trying 172.16.254.2...Connected to anchor.brest.lab.Escape character is ’^]’.
Hello, this is zebra (version 0.93b).Copyright 1996-2002 Kunihiro Ishiguro.
User Access Verification
Password:Anchor(bgpd)> enablePassword:Anchor(bgpd)# term leng 0Anchor(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::d valid [IGP metric 0]fefe::e1 valid [IGP metric 0]
Concept: November 24, 2002 149
Activity Log How to add IPv6 to the Lab Network
143
BGP connected route:172.16.254.0/24fefe:a::/64Anchor(bgpd)# show ip bgp neigBGP neighbor is fefe::d, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.255.2BGP state = Established, up for 00:09:00Last read 00:01:00, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received
Received 14 messages, 0 notifications, 0 in queueSent 15 messages, 0 notifications, 0 in queueRoute refresh request: received 0, sent 0Minimum time between advertisement runs is 5 secondsUpdate source is lo0
For address family: IPv6 UnicastMESH peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP64 accepted prefixes
Connections established 1; dropped 0Local host: fefe::a, Local port: 49153Foreign host: fefe::d, Foreign port: 179Nexthop: 172.16.254.2Nexthop global: fefe::aNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off
BGP neighbor is fefe::e1, remote AS 65000, local AS 65000, internal linkMember of peer-group CLIENTS for session parametersBGP version 4, remote router ID 172.16.0.11BGP state = Established, up for 00:09:17Last read 00:00:17, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received
Received 13 messages, 0 notifications, 0 in queueSent 16 messages, 0 notifications, 0 in queueRoute refresh request: received 0, sent 0Minimum time between advertisement runs is 5 secondsUpdate source is lo0
Concept: November 24, 2002 150
Activity Log How to add IPv6 to the Lab Network
144
For address family: IPv6 UnicastCLIENTS peer-group memberRoute-Reflector ClientNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes
Connections established 1; dropped 0Local host: fefe::a, Local port: 49154Foreign host: fefe::e1, Foreign port: 179Nexthop: 172.16.254.2Nexthop global: fefe::aNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off
Anchor(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.254.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*> fefe::a/128 :: 0 32768 ?*>ifefe::d/128 fefe::d 0 100 0 ?* ifefe::e1/128 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?*> fefe:a::/64 :: 0 32768 ?*>ifefe:d::/64 fefe::d 0 100 0 ?* ifefe:e1::/64 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?
Total number of prefixes 6Anchor(bgpd)#[email protected]#
Dinghy
[email protected]# rtr3 dinghy:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet dinghy 2605Trying 172.16.255.2...Connected to dinghy.brest.lab.Escape character is ’^]’.
Hello, this is zebra (version 0.93b).Copyright 1996-2002 Kunihiro Ishiguro.
User Access Verification
Concept: November 24, 2002 151
Activity Log How to add IPv6 to the Lab Network
145
Password:Dinghy(bgpd)> enablePassword:Dinghy(bgpd)# term leng 0Dinghy(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::a valid [IGP metric 0]fefe::e1 valid [IGP metric 0]BGP connected route:172.16.255.0/24fefe:d::/64Dinghy(bgpd)# show ip bgp neigBGP neighbor is fefe::a, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.254.2BGP state = Established, up for 00:07:01Last read 00:00:01, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received
Received 12 messages, 0 notifications, 0 in queueSent 15 messages, 0 notifications, 0 in queueRoute refresh request: received 0, sent 0Minimum time between advertisement runs is 5 secondsUpdate source is lo0
For address family: IPv6 UnicastMESH peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP64 accepted prefixes
Connections established 1; dropped 0Local host: fefe::d, Local port: 179Foreign host: fefe::a, Foreign port: 49153Nexthop: 172.16.255.2Nexthop global: fefe::dNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off
BGP neighbor is fefe::e1, remote AS 65000, local AS 65000, internal linkMember of peer-group CLIENTS for session parametersBGP version 4, remote router ID 172.16.0.11BGP state = Established, up for 00:07:01
Concept: November 24, 2002 152
Activity Log How to add IPv6 to the Lab Network
146
Last read 00:00:01, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received
Received 11 messages, 0 notifications, 0 in queueSent 14 messages, 0 notifications, 0 in queueRoute refresh request: received 0, sent 0Minimum time between advertisement runs is 5 secondsUpdate source is lo0
For address family: IPv6 UnicastCLIENTS peer-group memberRoute-Reflector ClientNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes
Connections established 1; dropped 0Local host: fefe::d, Local port: 49154Foreign host: fefe::e1, Foreign port: 179Nexthop: 172.16.255.2Nexthop global: fefe::dNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off
Dinghy(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.255.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*>ifefe::a/128 fefe::a 0 100 0 ?*> fefe::d/128 :: 0 32768 ?* ifefe::e1/128 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?*>ifefe:a::/64 fefe::a 0 100 0 ?*> fefe:d::/64 :: 0 32768 ?* ifefe:e1::/64 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?
Total number of prefixes 6Dinghy(bgpd)#[email protected]#
Edge1
Concept: November 24, 2002 153
Activity Log How to add IPv6 to the Lab Network
147
[email protected]# rtr3 edge1 show ip bgp neig : show bgp ipv6 : show bgp ipv6 summaryspawn /bin/sh -c exec telnet edge1Trying 172.16.0.11...Connected to edge1.brest.lab.Escape character is ’^]’.
User Access Verification
Username: Kerberos: No default realm defined for Kerberos!markusPassword:Edge1>enablePassword:Edge1#term leng 0Edge1#show ip bgp neigBGP neighbor is FEFE::A, remote AS 65000, internal linkMember of peer-group ROUTE-REFLECTORS for session parametersBGP version 4, remote router ID 172.16.254.2BGP state = Established, up for 00:13:31Last read 00:00:31, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received(old & new)Address family IPv6 Unicast: advertised and received
Received 65 messages, 0 notifications, 0 in queueSent 58 messages, 0 notifications, 0 in queueDefault minimum time between advertisement runs is 5 seconds
For address family: IPv6 UnicastBGP table version 21, neighbor version 21Index 1, Offset 0, Mask 0x2ROUTE-REFLECTORS peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighborRoute refresh request: received 0, sent 0Outbound path policy configuredRoute map for outgoing advertisements is SET_NEXT_HOP_TO_GLOBAL_IP64 accepted prefixes consume 272 bytesPrefix advertised 4, suppressed 0, withdrawn 0
Connections established 2; dropped 1Last reset 00:13:34, due to Peer closed the session
Connection state is ESTAB, I/O status: 1, unread input bytes: 0Local host: FEFE::E1, Local port: 179Foreign host: FEFE::A, Foreign port: 49154
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x37FE98):Timer Starts Wakeups Next
Concept: November 24, 2002 154
Activity Log How to add IPv6 to the Lab Network
148
Retrans 18 0 0x0TimeWait 0 0 0x0AckHold 20 5 0x0SendWnd 0 0 0x0KeepAlive 0 0 0x0GiveUp 0 0 0x0PmtuAger 0 0 0x0DeadWait 0 0 0x0
iss: 1416768829 snduna: 1416769266 sndnxt: 1416769266 sndwnd: 16384irs: 926894319 rcvnxt: 926895002 rcvwnd: 16232 delrcvwnd: 152
SRTT: 273 ms, RTTO: 499 ms, RTV: 226 ms, KRTT: 0 msminRTT: 12 ms, maxRTT: 300 ms, ACK hold: 200 msFlags: passive open, nagle, gen tcbs
Datagrams (max data segment is 516 bytes):Rcvd: 37 (out of order: 0), with data: 20, total data bytes: 682Sent: 24 (retransmit: 0, fastretransmit: 0), with data: 24, total data bytes: 1404
BGP neighbor is FEFE::D, remote AS 65000, internal linkMember of peer-group ROUTE-REFLECTORS for session parametersBGP version 4, remote router ID 172.16.255.2BGP state = Established, up for 00:13:14Last read 00:00:14, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received(old & new)Address family IPv6 Unicast: advertised and received
Received 34 messages, 0 notifications, 0 in queueSent 31 messages, 0 notifications, 0 in queueDefault minimum time between advertisement runs is 5 seconds
For address family: IPv6 UnicastBGP table version 21, neighbor version 21Index 1, Offset 0, Mask 0x2ROUTE-REFLECTORS peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighborRoute refresh request: received 0, sent 0Outbound path policy configuredRoute map for outgoing advertisements is SET_NEXT_HOP_TO_GLOBAL_IP64 accepted prefixes consume 272 bytesPrefix advertised 4, suppressed 0, withdrawn 0
Connections established 2; dropped 1Last reset 00:13:18, due to Peer closed the session
Connection state is ESTAB, I/O status: 1, unread input bytes: 0Local host: FEFE::E1, Local port: 179Foreign host: FEFE::D, Foreign port: 49154
Concept: November 24, 2002 155
Activity Log How to add IPv6 to the Lab Network
149
Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)
Event Timers (current time is 0x37FFC8):Timer Starts Wakeups NextRetrans 18 0 0x0TimeWait 0 0 0x0AckHold 20 7 0x0SendWnd 0 0 0x0KeepAlive 0 0 0x0GiveUp 0 0 0x0PmtuAger 0 0 0x0DeadWait 0 0 0x0
iss: 3977539705 snduna: 3977540142 sndnxt: 3977540142 sndwnd: 16384irs: 1456148508 rcvnxt: 1456149191 rcvwnd: 16232 delrcvwnd: 152
SRTT: 273 ms, RTTO: 499 ms, RTV: 226 ms, KRTT: 0 msminRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 msFlags: passive open, nagle, gen tcbs
Datagrams (max data segment is 516 bytes):Rcvd: 34 (out of order: 0), with data: 20, total data bytes: 682Sent: 26 (retransmit: 0, fastretransmit: 0), with data: 26, total data bytes: 1484Edge1#show bgp ipv6BGP table version is 21, local router ID is 172.16.0.11Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failureOrigin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path*>iFEFE::A/128 FEFE::A 0 100 0 ?* i FEFE::A 0 100 0 ?*>iFEFE::D/128 FEFE::D 0 100 0 ?* i FEFE::D 0 100 0 ?*> FEFE::E1/128 :: 32768 ?*>iFEFE:A::/64 FEFE::A 0 100 0 ?* i FEFE::A 0 100 0 ?*>iFEFE:D::/64 FEFE::D 0 100 0 ?* i FEFE::D 0 100 0 ?*> FEFE:E1::/64 :: 32768 ?Edge1#show bgp ipv6 summaryBGP router identifier 172.16.0.11, local AS number 65000BGP table version is 21, main routing table version 216 network entries and 10 paths using 1454 bytes of memory2 BGP path attribute entries using 120 bytes of memory2 BGP rrinfo entries using 48 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP activity 8/50 prefixes, 20/10 paths, scan interval 60 secs
Concept: November 24, 2002 156
Activity Log How to add IPv6 to the Lab Network
150
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcdFEFE::A 4 65000 65 58 21 0 0 00:13:32 4FEFE::D 4 65000 34 31 21 0 0 00:13:15 4Edge1#[email protected]#
Configure RIPv6
RIPv6 is used to propagate IPv6 router to the local area networks. Since we do not want to learn routesvia RIP we block all incoming route advertisements.
Edge1
Edge1(config)#ipv6 router rip EDGE-LANEdge1(config-rtr)#distance 254Edge1(config-rtr)#redistribute bgp 65000 metric 10Edge1(config-rtr)#distribute-list prefix-list DENY_ALL inEdge1(config-rtr)#exitEdge1(config)#Edge1(config)#ipv6 prefix-list DENY_ALL deny ::/0Edge1(config)#Edge1(config)#interface ethernet 0Edge1(config-if)#ipv6 router rip EDGE-LANEdge1(config-rtr)#exit
Don’t forget wr mem. Let us see if the configuration is working.
Edge1
Edge1#show ipv6 ripRIP process "EDGE-LAN", port 521, multicast-group FF02::9, pid 76
Administrative distance is 120. Routing table is 0Updates every 30 seconds, expire after 180Holddown lasts 180 seconds, garbage collect after 120Split horizon is on; poison reverse is offDefault routes are not generatedPeriodic updates 8, trigger updates 0
Edge1#Edge1#term moniEdge1#debug ipv6 ripRIP Routing Protocol debugging is onEdge1#Oct 9 22:03:13.100: RIPng: Sending multicast update on Ethernet0 for EDGE-LANOct 9 22:03:13.104: src=FE80::200:CFF:FE4A:A1D1Oct 9 22:03:13.104: dst=FF02::9 (Ethernet0)Oct 9 22:03:13.108: sport=521, dport=521, length=72Oct 9 22:03:13.112: command=2, version=1, mbz=0, #rte=3Oct 9 22:03:13.112: tag=0, metric=10, prefix=FEFE:A::/64Oct 9 22:03:13.116: tag=0, metric=10, prefix=FEFE:D::/64Oct 9 22:03:13.116: tag=0, metric=1, prefix=FEFE:E1::/64Oct 9 22:03:39.688: RIPng: Sending multicast update on Ethernet0 for EDGE-LAN
Concept: November 24, 2002 157
Activity Log How to add IPv6 to the Lab Network
151
Oct 9 22:03:39.692: src=FE80::200:CFF:FE4A:A1D1Oct 9 22:03:39.692: dst=FF02::9 (Ethernet0)Oct 9 22:03:39.696: sport=521, dport=521, length=72Oct 9 22:03:39.700: command=2, version=1, mbz=0, #rte=3Oct 9 22:03:39.700: tag=0, metric=10, prefix=FEFE:A::/64Oct 9 22:03:39.704: tag=0, metric=10, prefix=FEFE:D::/64Oct 9 22:03:39.704: tag=0, metric=1, prefix=FEFE:E1::/64Oct 9 22:04:06.496: RIPng: Sending multicast update on Ethernet0 for EDGE-LANOct 9 22:04:06.500: src=FE80::200:CFF:FE4A:A1D1Oct 9 22:04:06.504: dst=FF02::9 (Ethernet0)Oct 9 22:04:06.504: sport=521, dport=521, length=72Oct 9 22:04:06.508: command=2, version=1, mbz=0, #rte=3Oct 9 22:04:06.508: tag=0, metric=10, prefix=FEFE:A::/64Oct 9 22:04:06.512: tag=0, metric=10, prefix=FEFE:D::/64Oct 9 22:04:06.516: tag=0, metric=1, prefix=FEFE:E1::/64Edge1#Edge1#un allAll possible debugging has been turned offEdge1#Edge1#debug ipv6 icmpICMP packet debugging is onEdge1#Oct 9 22:07:08.405: ICMPv6-ND: Sending RA to FF02::1 on Ethernet0Oct 9 22:07:08.409: ICMPv6-ND: prefix = FEFE:E1::/64 onlink autoconfigEdge1#
Looks like we have a working configuration. Router Edge2 can be configured accordingly.
Concept: November 24, 2002 158
Activity Log How to add IPv6 to the Lab Network
152
C.1.3 Configure NetBSD/Zebra Edge Router
Well, by now you should already have a good understanding of how to configure a NetBSD edge routerfor IPv6.
Basically the following steps are required on an edge router:
• Edit /etc/rc.conf and /etc/rc.local. Check the section regarding configuration of routereflectors.
• Configure interfaces for IPv6 (including gif, loopback, and Ethernet).
• Configure static IPv6 routes for the loopback interfaces of the peering routers.
• Configure BGP analogous to an Cisco edge router.
• Configure RIPv6 to redistribute IPv6 route on edge networks.
On the hub routers (Anchor and Dinghy) the following steps are required:
• Configure the interfaces towards the edge router.11
• Configure static IPv6 routes for the loopback interface of the edge router.
• Configure BGP like for an Cisco edge router.
In the case of router Core4 this is a gif interface on Anchor. Dinghy is attached via a local area network11
Concept: November 24, 2002 159
Activity Log Configuring DJBDNS
153
C.2 Configuring DJBDNS
Anchor and Dinghy provide name service for the lab network. In order to provide the service bothmachines have djbdns (http://cr.yp.to/djbdns.html) and daemontools (http://cr.yp.to/daemontools.html)installed.
[email protected]> pkg_info djbdnsInformation for djbdns-1.05:
Comment:Collection of secure and reliable DNS tools by Dan Bernstein
Description:DJBDNS is a collection of Domain Name System tools. It includesseveral components:
* The dnscache program is a local DNS cache. It accepts recursive DNSqueries from local clients such as web browsers. It collectsresponses from remote DNS servers.
* The tinydns program is a fast, UDP-only DNS server. It makes localDNS information available to the Internet.
* The pickdns program is a load-balancing DNS server. It pointsclients to a dynamic selection of IP addresses.
* The walldns program is a reverse DNS wall. It provides matchingreverse and forward records while hiding local host information.
* The dns library handles outgoing and incoming DNS packets. It can beused by clients such as web browsers to look up host addresses, hostnames, MX records, etc. It supports asynchronous resolution.
* The dnsfilter program is a parallel IP-address-to-host-nameconverter.
* The dnsip, dnsip6, dnsipq, dnsname, dnstxt, and dnsmx programs are simplecommand-line interfaces to DNS.
* The dnsq and dnstrace programs are DNS debugging tools.
You may also want to use:* pkgsrc/net/ucspi-tcp, if you’re going to use axfrdns or axfr-get* tinydns logfile formatter, installed under ${PREFIX}/bin/tinydns-log* dnscache logfile formatter, installed under ${PREFIX}/bin/dnscache-log(formatters are taken from http://tinydns.org, they need perl to run]
* tai64nlocal (pkgsrc/sysutils/daemontools) -- to convert timestamps printedout by these two formatters to human readable form
This package includes IPv6 patches written by Fefe,see http://www.fefe.de/dns/ for more details.
Please read http://cr.yp.to/djbdns/upgrade.html if you’re upgrading fromprevious version of djbdns.
Concept: November 24, 2002 160
Activity Log Configuring DJBDNS
154
Homepage:http://cr.yp.to/djbdns.html
[email protected]> pkg_info daemontoolsInformation for daemontools-0.70:
Comment:Service monitoring and logging utilities by djb
Description:Daemontools is a small set of /very/ useful utilities, from DanBernstein. They are mainly used for controlling processes, andmaintaining logfiles.
Homepage:http://cr.yp.to/daemontools.html
The following section, which follows Martin Lessers dnscache-HOWTO (http://www.better-com.de/dnscache/howto-de/), gives an overview of the configuration. Some stuff has been stolen from the ‘Inofficial djbdnsFAQ’ (http://www.fefe.de/djbdns/), which is also a very useful resource.
Two machines are used to provide naming service for the lab. Unlike bind djbdns does not use aconcept of primary and secondary name servers. Both name servers are equal. There are no zonetransfers required with djbdns. Synchronization of the two databases can be done using utilities suchas rsync.
The name service on a single machine is implemented by two programs, dnscache and tinydns. Itis not possible to use the same IP address for both programs. dnscache is configured with the IPaddress of the Ethernet interface. tinydns is configured with the IP address of the loopback interface(127.0.0.1). Then dnscache is configured to ask the local instance of tinydns.
Firstly we create the required user accounts. Please note that the accounts do not require a homedirectory. Login shell is set to /sbin/nologin for security reasons.
[email protected]# useradd -g nogroup tinydnsuseradd: Warning: home directory ‘/home/tinydns’ doesn’t exist, and -m was not [email protected]# useradd -g nogroup dnscacheuseradd: Warning: home directory ‘/home/dnscache’ doesn’t exist, and -m was not [email protected]# useradd -g nogroup dnsloguseradd: Warning: home directory ‘/home/dnslog’ doesn’t exist, and -m was not [email protected]# which nologin/sbin/[email protected]# chsh tinydns
#Changing user database information for tinydns.<snip>Shell: /sbin/nologin<snip>[email protected]# chsh dnscache
Concept: November 24, 2002 161
Activity Log Configuring DJBDNS
155
#Changing user database information for dnscache.<snip>Shell: /sbin/nologin<snip>[email protected]# chsh dnslog
#Changing user database information for dnslog.Login: dnslog<snip>Shell: /sbin/nologin<snip>[email protected]#
Now we are going to configure tinydns. Firstly we create the name server, DNS zone, and reverselookup zones for the lab network.
[email protected]# tinydns-conf tinydns dnslog /etc/tinydns [email protected]#[email protected]# cd /etc/tinydns/[email protected]# lsMakefile add-alias6 add-host add-mx dataadd-alias add-childns add-host6 [email protected]#[email protected]# ./add-ns brest.lab [email protected]# ./add-ns 16.172.in-addr.arpa [email protected]# ./add-ns 168.192.in-addr.arpa [email protected]# ./add-ns 10.in-addr.arpa 127.0.0.1
Now we populate the zone with name to address mappings. Reverse lookup zones will be populatedautomagically.
[email protected]# ./add-host dinghy.brest.lab [email protected]# ./add-host anchor.brest.lab [email protected]# ./add-host core1.brest.lab [email protected]# ./add-host core2.brest.lab [email protected]# ./add-host core3.brest.lab [email protected]# ./add-host edge1.brest.lab [email protected]# ./add-host edge2.brest.lab [email protected]# ./add-host edge3.brest.lab 172.16.0.13
Some aliases for lab boxes.
[email protected]# ./add-alias www.brest.lab [email protected]# ./add-alias mrtg.brest.lab [email protected]# ./add-alias ns1.brest.lab [email protected]# ./add-alias ns2.brest.lab 172.16.255.2
Since NetBSDs djbdns package includes IPv6 patches written by Felix von Leitner (http://www.fefe.de/dns/)we do have IPv6 naming service out of the box.
[email protected]# ./add-host6 dinghy.ipv6.brest.lab fefe::[email protected]# ./add-host anchor.ipv6.brest.lab fefe::a
Concept: November 24, 2002 162
Activity Log Configuring DJBDNS
156
In the second step we configure the dnscache program. Firstly we create the cache. Please note thatwe bind the dnscache program to the IP address of the Ethernet interface. Above we configured thetinydns program to use the loopback address.
[email protected]# dnscache-conf dnscache dnslog /etc/dnscache 172.16.255.2
By default dnscache will only answer to requests initiated from the hosting machine. Now we configureit to accept requests from all machines in the lab network. The file /etc/dnscache/root/ip/10instructs dnscache to accept requests from IPv4 addresses in the range 10.0.0.0/16.
[email protected]# touch /etc/dnscache/root/ip/[email protected]# touch /etc/dnscache/root/ip/[email protected]# touch /etc/dnscache/root/ip/10
Now we instruct dnscache to consult the local tinydns server to resolve names in the lab zones.
[email protected]# cd /etc/dnscache/root/servers/[email protected]# ls@[email protected]# echo ’127.0.0.1’ >[email protected]# echo ’127.0.0.1’ > [email protected]# echo ’127.0.0.1’ > [email protected]# echo ’127.0.0.1’ > [email protected]#[email protected]# lltotal 5-rw-r--r-- 1 root wheel 10 Oct 4 18:08 10.in-addr.arpa-rw-r--r-- 1 root wheel 10 Oct 4 18:08 16.172.in-addr.arpa-rw-r--r-- 1 root wheel 10 Oct 4 18:08 168.192.in-addr.arpa-rw-r--r-- 1 root wheel 164 Oct 4 18:04 @-rw-r--r-- 1 root wheel 10 Oct 4 18:07 [email protected]#[email protected]# cat [email protected]#[email protected]# cat [email protected]# cat [email protected]# cat [email protected]#[email protected]# cat @198.41.0.4128.9.0.107192.33.4.12128.8.10.90192.203.230.10192.5.5.241192.112.36.4128.63.2.53
Concept: November 24, 2002 163
Activity Log Configuring DJBDNS
157
192.36.148.17198.41.0.10193.0.14.129198.32.64.12202.12.27.33root@dinghy.brest.lab#
Lastly we create entries for dnscache and tinydns in the service directory. This puts the programsunder control of the daemontools.
[email protected]# ll /servicetotal 0lrwxr-xr-x 1 root wheel 21 Oct 1 14:09 gated -> /usr/local/etc/gated/lrwxr-xr-x 1 root wheel 18 Sep 30 16:25 zebra -> /usr/pkg/etc/[email protected]#[email protected]# ln -s /etc/tinydns /[email protected]# ln -s /etc/dnscache /[email protected]#[email protected]# ll /servicetotal 0lrwxr-xr-x 1 root wheel 13 Oct 4 18:13 dnscache -> /etc/dnscachelrwxr-xr-x 1 root wheel 21 Oct 1 14:09 gated -> /usr/local/etc/gated/lrwxr-xr-x 1 root wheel 12 Oct 4 18:12 tinydns -> /etc/tinydnslrwxr-xr-x 1 root wheel 18 Sep 30 16:25 zebra -> /usr/pkg/etc/[email protected]#[email protected]# ps -aux | grep tinydnstinydns 28740 0.0 0.8 164 492 ?? S 6:12PM 0:00.22 /usr/pkg/bin/tinydnsroot 28732 0.0 0.7 36 464 ?? S 6:12PM 0:00.09 supervise tinydnsroot 29719 0.0 0.9 204 588 p1 S+ 6:13PM 0:00.06 grep [email protected]#[email protected]# ps -aux | grep dnscachednscache 28957 0.0 2.7 1388 1796 ?? S 6:13PM 0:00.35 /usr/pkg/bin/dnscacheroot 28952 0.0 0.7 36 464 ?? S 6:13PM 0:00.09 supervise dnscacheroot 29896 0.0 2.6 1424 1708 p1 RV 6:13PM 0:00.00 grep dnscache (tcsh)[email protected]#
Check if the name service is running properly.
[email protected]# dnsipq core1core1.brest.lab [email protected]#[email protected]# dnsip [email protected]#[email protected]# dnsname [email protected]#
That was easy, wasn’t it?
The configuration on node Anchor is analogous to the example above.
Concept: November 24, 2002 164
158
D Xyplex MaxServer 1600
iTouch Communications (http://www.itouchcom.com/) has taken over the old Xyplex terminal serverproduct line. Transfering the documentation section from the Nbase/Xyplex web site to the iTouchweb site was lossy. I included documentation from the iTouch web site so that this document is nowself contained.
D.1 Access Server Administrator’s Primer
The NBase-Xyplex Access Server is a multi-protocol terminal server which supports direct Asyncronousconnections for most Serial peripherals. These devices can be either terminals, printers, async modemsfor remote access, console ports for UNIX workstations, management port on switches, hand-heldscanners, and a variety of other data-collecting serial devices. The access server can concurrentlysupport users who are logged into IP and VMS systems, dial-in and dial-out with interactive, SLIPor PPP sessions, network printing, and provide network access to serial Management Ports on othernetwork devices.
The purpose of this document is to provide an overview on the initial key issues you should be aware ofwhen first working with the unit. These key issues include: the server’s loading process, user interfaceconcepts, server and port configurations, and safe methods for rebooting the server after it has beenconfigured.
D.1.1 Bootstrap
The access server REQUIRES that it be connected to a 10 mbps Ethernet LAN before it will startthe normal loading sequence. The unit does not support 100 mbps fast ethernet. During the loadingprocess, if a LAN connection is not seen by the unit, then it will not load and the following messagewill be displayed on an attached terminal:
Searching for a Functional Standard Ethernet Network.
To resolve this problem, verify the cabling between the LAN and the ethernet port on the access server.For 10baseT connections, a straight-thru ethernet cable is required between the access server and a DCEdevice (such as an ethernet hub or switch), and a cross-over ethernet cable is required for connectionsto a DTE device (such as a bridge/router). Once the LAN is detected, the unit will complete a hardwareself test and begin to load. To complete the loading process and become fully functional, the serverrequires two files: the software image or runtime code AND the parameter file. The access server willfirst load the runtime image, then load and implement the parameter database. The server’s bootROMs are designed to load both files using several loading protocols.
Software Image
The Access Server defaults to load the runtime image using protocols in the following order:
CARD For loading from a local FLASH memory card that is inserted in the unit.
Concept: November 24, 2002 165
Xyplex MaxServer 1600 Access Server Administrator’s Primer
159
XMOP Xyplex’s proprietary load protocol where one Xyplex device will act as a load server for anotherXyplex device.
MOP The unit will send DEC MOP load broadcasts across the LAN searching for a VAX load server.
BOOTP The unit will send a bootp broadcast, searching for a bootp server to gain an ip-address touse so it can tftp download the image runtime code from a tftp host. If an router is between theXyplex device and the bootp server, you will need to ensure the router will forward bootp packetson to the bootp server. Bootp is not routable. CISCO calls this a helper IP.
RARP The unit will send a rarp broadcast looking for a response from a rarp server to provide anip-address to use so it can tftp download the image runtime code from a tftp host.
Once the access server has downloaded the image file, it will then decompress and implement theruntime code it received.
D.1.2 Parameter File
Once the server has processed the runtime image, it will then download and implement the parameterdatabase. The parameter file contains all of the server and port settings. Should this file be incompleteor corrupted, the access server will either complete the bootstrap process using the default parameterset, or it will not completely boot/reboot, instead displaying a flashing LED error code on the frontpanel. To correct this situation, please reference the ”Getting Started” manual and follow the processto gain access to the ROM Configuration Menu in order to default the server and port settings. Thereis also a Technical Paper available on the NBase-Xyplex web page that outlines this process in detail:
http://www.nbase-xyplex.com/support/documentation/tp/default2.cfm
The process will require a directly attached terminal to any single async port on the server. The server’sdefault parameter load protocols are in the order below (this order may vary depending on the accessserver hardware type you are working with):
NVS Non-Volatile Storage located within the unit on the motherboard. This is the default for allNBase-Xyplex access servers except the N9-720 which has no NVS on board.
CARD The only NBase-Xyplex access server that can retrieve its parameter file from an on-boardflash memory card would be the N9-720 server. No other server can support this function directly.
XMOP Using the Xyplex proprietary protocol, the server will broadcast a load request to get a copyof its parameter file from another Xyplex device which has stored its parameter file. The respondingXyplex device must have a local flash memory card (where it stores the parameter files for otherunits) and have ”Manager Load” and ”Parameter Service” as enabled functions.
MOP The unit will send DEC MOP load broadcasts across the LAN searching for a VAX load serverthat is running the Xyplex software process ”xyp manager” and has an NCP entry for that accessserver as well as a copy of its parameter file. NOTE: ”xyp manager” is not supported on OpenVMSversion 6.2 or higher.
BOOTP Same process as for the image loading, but the unit will look for a file named ”x012345.prm”from the tftp server (where 012345 represents the last 6 digits of the unit’s ethernet address).
RARP Same process as for the image loading, but the unit will look for a file named ”x012345.prm”from the tftp server (where 012345 represents the last 6 digits of the unit’s ethernet address).
Concept: November 24, 2002 166
Xyplex MaxServer 1600 Access Server Administrator’s Primer
160
D.1.3 Login
Once the server is fully booted, the RUN and LAN lights will flash about once per second. At thistime, press the or key on the terminal keyboard several times. This will allow the access server’s port toautobaud to the speed your terminal is set to. Terminal parameters should be set to VT100 emulation,character size 8, parity none, stop bits 1, and XON/XOFF (software) flow control. As you press thereturn key, the LED in the front panel that corresponds to the port your terminal is connected to,should flash. If it doesn’t, there could be a communications issue between the port and your terminal.You should verify your terminal settings and cabling between the two. Reference the ”Getting Started”manual for DTE pinouts and cabling requirements. There is also a Technical Paper available on theNBase-Xyplex web page that provides this information as well:
http://www.nbase-xyplex.com/support/documentation/tp/as\_cabling.cfm
Once the port and the terminal are communicating properly, you will see the server’s default welcomemessage and be prompted to log into the server:
Welcome to the Xyplex Terminal Server.
Enter username>
At this point, the server is just looking for any name or character sting to be entered. It is not lookingfor something specific - whatever you enter is not important. The ”string” you provide will appearon certain ”show port” screens as a visual reference to indicate who is logged in there, for user andadministrator convenience only.
Enter username> enter_some_string
After entering any alpha or numeric string, you are presented with the default port prompt:
Xyplex>
At this point you are logged into and talking to an active and functional access server port. The nextstep is to configure the unit to meet your needs and goals.
D.1.4 Configuration
The parameter database is where the access server’s unique profile and port settings are stored, andfrom where they are reloaded each time the server is rebooted. The parameter file is where all thechanges you make to the server and each port are saved. This file needs to be protected so that it doesnot get corrupted during a reboot.
In order to make changes to the parameter file (i.e. configure the unit), you must be in privileged (priv)mode. The sequence is as follows (please note the user command and the default privilege password):
Xyplex> set privPassword: systemXyplex>>
The port prompt has changed to include a double greater-than symbol. You may shorten this sequenceby the single command string set priv system, but this is software version dependent.
Concept: November 24, 2002 167
Xyplex MaxServer 1600 Access Server Administrator’s Primer
161
The server has two memory levels, if you will, thus there are two types of commands used duringconfiguration.
Level 1 is Active Memory (or operational database) which is the current configuration the server andports are working with while the unit is in operation. Should you issue a SET command to change aparameter to a different value, that configuration change would be lost when the port is logged out(for port settings) or if the server was rebooted. The SET command allows for a temporary changeto the active working parameter set. If the SET command was used to change a port setting, thatsetting will revert back to the original setting when the port resets for any reason (including a simplelogout by the user on that port; or if someone in privileged mode logs that port out; or if the serveris rebooted).
Level 2 memory is Permanent Memory (or stored configuration) which is recalled upon a reboot orport logout. Should you want to make a change to the server and port settings that needed to berecalled after a reboot of the server or after a port is logged out, a DEFINE command would berequired.
The SET commands can be used by both privileged and non-privileged users. The DEFINE commandsare limited to the privileged user only. The following examples will illustrate the affect of the SETcommand versus DEFINE command after a user logs out:
Change the port prompt in the Active Memory configuration:
Xyplex> set port prompt "Port_3"
The yield of the above command:
Port_3> logout
After the user logs out, the port will reset and go back to the values as defined in the Permanentmemory database. Note the port prompt once the user logs back into the port:
Xyplex>
Change the port prompt in the Level 2 Permanent Memory configuration:
Xyplex>> define port prompt "Port_3"
The yield of the above command:
Xyplex>> logout
After the user logs out of the port, it will reset and read the settings stored in the permanentdatabase, implementing the new setting. Notice the port prompt once the user logs back into theport:
Port_3>
When configuring the access server, there is an parameter feature called ”CHANGE” that, when enabled,will automatically execute the SET command whenever you issue a DEFINE command, thus eliminatingthe need for typing in the second command line.
To enable the CHANGE feature, execute:
Concept: November 24, 2002 168
Xyplex MaxServer 1600 Access Server Administrator’s Primer
162
Xyplex>> set server change enableXyplex>> define server change enable
Here is how it is helpful: When you define an internet address to the server using Xyplexdefine serverinternet address 10.10.10.3, the ip-address is written to permanent memory, which would thenrequire either the SET command to also be issued or a reboot of the entire server in order for the valueto become active. If you only issued a SET command with Xyplexset server internet address10.10.10.3, the ip-address would become active immediately, but lost when the server was rebootedunless the DEFINE was also performed. This example illustrates that changing both the temporaryand permanent configuration would require two commands without a reboot. With CHANGE enabled,when you issued the define server internet address command, the server would:
• Update the permanent configuration database,
• Automatically execute the SET command so the ip-address would become active right away withoutrequiring a reboot.
Please Note: NOT all server or port parameters can be changed with the SET command. When theCHANGE feature is enabled, at some point you will define some parameter and be prompted with awarning or informational message:
Xyplex -729- Parameter cannot be modified by a SET command.
Some of the commands cannot be ”set” because the change could affect any users that may be loggedinto that particular server/port(s). The message is also displayed when enabling certain server-widefeatures and protocols (such as LPD, Radius, IPX, etc), because memory resources will need to beallocated for the feature’s use. These features will also display the message Xyplex -705- Changeleaves approximately \# bytes free.
If you see this message after making a parameter change to a port, you will need to reset the portfor the change to become active/operational immediately. To do this, you simply need to issue thecommand logout port \# (which, in addition to ”set”-ting the parameter, will also disconnect anyuser who may be connected to it):
Xyplex>> logout port #(where "#" is the physical port number you made the change to)
If you see this message after issuing a command to change a server-wide parameter, or enable a feature,then you will need to reboot the server at some point for the new parameter to be implemented. Followthe instructions on safe reboot methods in the next section of this paper.
D.1.5 Rebooting
Important: To reboot the server, it is strongly recommended you use the configuration/parameterfriendly reboot command initialize:
Xyplex>> initialize
This is a command where the server will, by default, wait for one minute before it automatically rebootsusing the process boot/load sequences discussed earlier. You can also modify the time to reboot byproviding a time argument:
Concept: November 24, 2002 169
Xyplex MaxServer 1600 Access Server Administrator’s Primer
163
Xyplex>> initialize delay #(where "#" is the variable in minutes before the unit will reboot)
If the time argument is ”0” the unit will reboot immediately. If the time argument is greater than ”0”,the server will reboot in that number of minutes specified.
The beauty of the initialize command is that it is parameter-database friendly. Provided theparameter/configuration file is current and up-to-date and in an idle state (see the show parameterserver screen), the server will terminate all processes and proceed through a normal bootstrap process.If the server is still writing the parameter changes to permanent memory, it will not prematurelyterminate the write process so as to prevent corruption of the parameter database. The server willinstead give you a warning message:
Xyplex -198- WARNING - changed configuration has not been saved.
After you issue the last define command, the server waits a period of time to make sure there are nomore defines to follow, then it writes the ”lump sum” of your commands all at once to the parameterstorage locations (i.e. flashcard, NVS, host). All of this takes approximately 30-40 seconds from themoment you issued the last define command. If the unit is forced to reboot while writing parameters,then the file will get corrupted. The initialize command will not force a reboot, and therefor, if ithas not yet saved the changes, it will display the above message. Should this happen, give the Xyplexdevice another minute or so in order to complete the process of writing the parameter database tomemory, then try issuing the initialize command again.
D.1.6 Normally NOT Suggested
There are three methods of rebooting the access server that are not sensitive to the storing status of theparameters. It is not suggested you execute either of them unless you verify the parameters are savedand current beforehand. The server command to check on the status of the parameter file storage stateis:
Xyplex>> show parameter server
Check for the status, version, and storage state of the parameter servers. The storage state needs tobe ”Idle”, the status should be ”current”, and the versions at each location should be the same as thevalue listed next to ”Last Update Version” in the first column. Again, the parameter database healthis your responsibility should you do any of the next three processes.
• There is a server command CRASH. This command will reboot the server, but the process is as gentleas the word itself reflects. When you use this command, the server will immediately attempt todump its core memory to a dump server. CRASH is not sensitive to the state of the parameter set.If the server is writing parameters to permanent memory, this command will terminate the writeprocess immediately and there is a 100
• Another reboot process that is NOT sensitive to the parameter set is a power cycle of the unit. Inother words, pulling the power cord. All processes are terminated immediately including all the rulesrelated to checking for a complete and valid parameter set. Defaulting the unit will be in order ifthe parameter database gets corrupted.
• The third reboot process, again not suggested, is using the reset switch. Pressing the reset switchwith a paperclip two quick times will force the server to reboot. This process is also NOT parameter
Concept: November 24, 2002 170
Xyplex MaxServer 1600 Access Server Administrator’s Primer
164
database sensitive. Should the server be writing parameters to memory, the write and verify processis terminated regardless of whether or not the process had been completed. If the unit displays aflash error code on a reboot, you will have to default the server parameters and start anew as well.
On a positive note: It is possible that, if the parameter file is current and in an idle state, and youhappen to reboot using these last three mechanisms, you could be in luck and not have a problem.These reboot methods do work, but there is a high level of risk when used. It is best to always rebootusing the initialize command whenever it is possible to access the server’s command line interface(CLI).
D.1.7 Additional Information
The NBase-Xyplex Access Servers are a reliable network device. They support several network protocolsfor loading its runtime code and server profile configuration/parameter files. Once the server is up andrunning, they can be configured to operate with permanent and temporary settings using the Define andSet commands at the server’s command line interface, i.e. port prompt. The Access Server providesa help utility to solve command line syntax errors. It will always highlight or note the command orargument that are not known and will provide you with a list of valid commands or verbs it was expectingto see. The Access Server also provides informational and warning messages when certain conditionsare met to assist you when working with and configuring the server. You are able to reboot the serverfrom local or remote locations using the Initialize command knowing it will validate the status of theparameter file first.
A key element when working with devices attached to physical ports on the server is the wiring betweenthe ports and third party devices. The manual NBase-Xyplex provides with each unit, will list theexpected DTE and DCE pinouts and cable to use. The server supports various show port screens todisplay the port status and port counters, not discussed above, that can be used in troubleshootingcommunications issues. The Access Server also allows you to view port characteristics, alternatecharacteristics, and telnet characteristics to look at various port settings. These and many morecommands are described and discussed in the documentation Commands Reference Guide. This andother manuals are on the NBase-Xyplex Web page as well as on CD-ROM.
The intent of this document was to give a brief overview of a few key issues the System Administratorshould know when working with the Access Server. The Access Server is a flexible device that can beconfigured to meet many and various needs.
D.1.8 Additional Documentation and Resources
NBase-Xyplex has available on our web site numerous detailed command line help files to assist youin configuring the access server and its ports. Help files are also available that outline the processto use certain Host applications and features which interact with the access server’s functionality (ex.CSPORTD printing, etc); as well as some unique configurations other customers have implemented.
The web URL below brings you to the main page of the Customer Support area. For configuration andtroubleshooting assistance, there are links here to our Technical Papers, Technical Tips, FAQ Finder,Manuals and User Guides, Software Downloads, and more.
http://www.nbase-xyplex.com/support/index.cfm
Concept: November 24, 2002 171
Xyplex MaxServer 1600 Access Server Administrator’s Primer
165
Customers who have purchased one of NBase-Xyplex’s various Service Support contract offerings willhave access to a password-protected area where they can download the latest software updates fromthe web URL below:
http://www.nbase-xyplex.com/support/software/index.cfm
For Technical Papers specific to the Access Server, point your browser to:
http://www.nbase-xyplex.com/support/documentation/tp/access\_menu.cfm
For Manuals and User Guides specific to the Access Server, point your browser to:
http://www.nbase-xyplex.com/support/documentation/product/guides/index.cfm?doc=accessserver
For Software Updates specific to the Access Server, point your browser to:
http://www.nbase-xyplex.com/support/contract/software/index.cfm?query=access
Copyright 2001 iTouch Communications, Inc.
Concept: November 24, 2002 172
Xyplex MaxServer 1600 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults
166
D.2 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults
• Straighten a paper clip and press into the pin-size hole next to console LED on the front panel ofthe unit. All LEDs on the front of the unit will light up.
• Press the paper clip in again and hold it in for 3-5 seconds. The LEDs will light up in a sweepingfashion from right to left, then left to right. When this sweeping stops, there will be 2 or 3 LEDSto the right lit, at this point release the paper clip.
• The LEDs will light up in a countdown pattern to 1 (diagnostic test pattern). Then they will all goout and the RUN light will be flashing very fast. You should have a terminal attached to one of theserial ports on the back of the unit. Press the ENTER key several times for the port to autobaud.You will see a text display similar to this:
Terminal Server, Type 97, Rev G.00.00Ethernet address 08-00-87-05-A1-16, port 2Configuration in progress. Please wait
• Type the password access (there is no password prompt and it will not display the characters youtype) and then press ENTER on your keyboard. The menu below will display. Please select themenu options and answer the questions as detailed below to default your unit.
• To Default The Server Load/Dump Parameters:
Welcome to the Configuration Menu.
Terminal Server Configuration/Maintenance Menu
1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changesX. Exit without saving configuration changesEnter menu selection [X]: 2
Initialize configuration to defaults (Y,N) [N]? Y
(Type any key to continue)
Press ENTER on your keyboard at this time...
• To Default The Server And Port Parameters:
Terminal Server Configuration/Maintenance Menu
1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changes
Concept: November 24, 2002 173
Xyplex MaxServer 1600 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults
167
X. Exit without saving configuration changesEnter menu selection [X]: 3
When the software has been loaded, should default server and port parameters be used (Y,N) [N]? Y
• Save Configuration Changes And Reboot The Server:
Terminal Server Configuration/Maintenance Menu
1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changesX. Exit without saving configuration changesEnter menu selection [X]: S
Save changes and exit (Y,N) [Y]? Y
The access server will now reboot using factory settings.
Copyright 2001 iTouch Communications, Inc.
Concept: November 24, 2002 174
Xyplex MaxServer 1600 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults
168
D.2.1 Configuring MX1600 To Load Image Via DTFTP
• Push a straightened paper clip into the pin-size hole on the far left side of front panel (N9-720) orthe pin-size hole next to the CONSOLE LED for the MX16xx series (insertion time is 1 second).All the LEDs will light up.
• Push paper clip in again and hold in for about 3-4 seconds. The LEDs will light up in a sweepingfashion from right to left, then left to right. When this pattern stops and LEDs 14,15,16 are lit,remove the paper clip.
• The LEDs will light up in a countdown pattern to 1, which is the diagnostic test. After they all goout, the RUN light will blink very fast. You should have a terminal or PC attached to one of theRJ-45 ports on the back of the server. Press the ENTER key on your keyboard several times toautobaud your terminal to the port speed. You will see text displayed similar to this:
Terminal Server, Type 97, Rev G.00.00Ethernet address 08-00-87-0A-B9-BBConfiguration in progress. Please wait.
Please type the login password access at this time (there is no password prompt and it will notdisplay the characters you type).
Welcome to the Initialization Configuration Menu.
Terminal Server Configuration Menu
1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationX. Exit saving configuration changesS. Exit without saving configuration changes
Enter menu selection [X]: 1
Stored Configuration New Configuration
Status: Enabled Enabled
Image load method: CARD XMOP MOP BOOTP RARP CARD XMOP MOP BOOTP RARPParameter load method: NVS XMOP MOP BOOTP RARP NVS XMOP MOP BOOTP RARPDump method: XMOP MOP BOOTP RARP XMOP MOP BOOTP RARPCARD/XMOP/MOP filename: XPCS00S XPCS00SDefault unit IP addr: 0.0.0.0 0.0.0.0DTFTP host IP addr: N/A N/ADTFTP gateway IP addr: N/A N/ADTFTP filename: N/A N/ALoad status messages: Enabled EnabledNetwork interface: Automatic AutomaticMemory size expected 4 Megabytes 4 Megabytes(Found 4 Megabytes)
Concept: November 24, 2002 175
Xyplex MaxServer 1600 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults
169
(Type any key to continue)
Terminal Server Configuration Menu
1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changesX. Exit without saving configuration changes
Enter menu selection [X]: 2
Set Initialization record #1 to defaults (Y,N) [N]? N
Enable initialization record #1 (Y,N) [Y]? Y
Enable ALL methods for image loading (Y,N) [N]? N
Toggle (CARD,DTFTP,XMOP,MOP,BOOTP,RARP) load methods [C,X,M,B,R]: D
Toggle (CARD,DTFTP,XMOP,MOP,BOOTP,RARP) load methods [C,D,X,M,B,R]: (hit ENTER)
Enable ALL methods for parameter loading (Y,N) [Y]? (hit ENTER to accept defaults)
Enable ALL methods for dumping (Y,N) [Y]? (hit ENTER to accept defaults)
CARD/XMOP/MOP image filename (16 characters max) [XPCSRV20]: (hit ENTER)
Enter unit IP address [0.0.0.0]: enter IP address of access server
Enter host IP address [0.0.0.0]: enter IP address of the load host
Enter gateway IP address [0.0.0.0]: enter IP address of router
Enter TFTP image filename (64 characters max.) : xpcs00s.sys
Note: Some UNIX hosts do not use /tftpboot as the tftp home directory. If your host uses a differentpath, please enter as part of the image filename. Example: Enter TFTP image filename (64characters max.) : /usr/tftp/xpcs00s.sys
(Type any key to continue)
Terminal Server Configuration Menu
1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configuration
Concept: November 24, 2002 176
Xyplex MaxServer 1600 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults
170
S. Exit saving configuration changesX. Exit without saving configuration changes
Enter menu selection [X]: S
Save changes and exit (Y,N) [Y]? Y
Changes saved.\end{Verbatim}}
The access server will now reboot using the DTFTP information entered above.\stopitemize
To enable DTFTP on a running server using the Xyplex Command Language Interface:
\starttypingXyplex>> DEFINE SERVER IMAGE LOAD PROTOCOL DTFTP ENABLEDXyplex>> DEFINE SERVER INTERNET ADDRESS x.x.x.x (server address)Xyplex>> DEFINE SERVER INTERNET LOAD HOST x.x.x.x (host address)Xyplex>> DEFINE SERVER INTERNET LOAD GATEWAY x.x.x.x (1st hop router)Xyplex>> DEFINE SERVER INTERNET LOAD FILE "xpcs00s..sys"
Copyright 2002 iTouch Communications, Inc.
Concept: November 24, 2002 177
Xyplex MaxServer 1600 Configuring SYSLOG On Access Servers
171
D.3 Configuring SYSLOG On Access Servers
Many Customers are having problems configuring SYSLOG on their Access Server and their UNIXHosts.
The procedure is two fold. The Access Server needs to have SYSLOGD enabled and pointed to aUNIX Host. And the UNIX host needs to be configured to be running SYSLOG and have a definitionfor where the syslog information from the Access server should be stored.
D.3.1 Configure the Access Server for SYSLOGD
Xyplex >> define server accounting entries 1000
This will enable the accounting feature, by defining the maximum number of accounting entries.
Xyplex >> define server daemon syslogd enabled 192.9.200.1
This will enable the syslogd on the Access server and also point it to the UNIX host with ip-address192.9.200.1.
Xyplex>> init delay 0
This will re-initialize the Access server for the changes to take effect.
Xyplex >> set server verbose accounting enabled
This will enable the VERBOSE accounting on the Access Server.
D.3.2 *Setting a Priority Number
There are several priority levels that define what type of information will be stored to the SYSLOGhost. The priorities are:
− LOG EMERG, 0, A severe condition.
− LOG ALERT, 1, A condition the system manager needs to correct immediately.
− LOG CRIT, 2, A critical condition such as a hard device error.
− LOG ERR, 3, A software error condition.
− LOG WARNING, 4, A warning message.
− LOG NOTICE, 5, Conditions that may require specific procedures to adjust them.
− LOG INFO, 6, Normal condition. Informational messages.
− LOG DEBUG, 7, Messages with information useful for test situations only.
The Priority chosen on the Access server will match with the one defined on the UNIX host. Tospecify the priority number on the Access Server:
Concept: November 24, 2002 178
Xyplex MaxServer 1600 Configuring SYSLOG On Access Servers
172
Xyplex >> set server verbose priority 7
This will set the priority to 7. NOTE: Level 7 will get all message from priorities lower than 7 also.
Xyplex >> clear server accounting
This will clear the accounting log, so that the first information will be the newest.
Xyplex >> show server accounting
This will display the accounting information stored locally on the Access Server.
720-console> show server account
ACCOUNTING SUMMARY/SYSTEM LOG (ENTRIES WILL LOG AT OR BELOW PRIORITY LEVEL: 7)
02 May 1996 14:48:27 Accounting Summary/System Log Cleared by Port 1502 May 1996 14:49:26 source:08-00-87-06-52-34 dest:140.179.240.14 port:0 user:(Remote) type:Rtelm02 May 1996 14:49:31 Port: 00 User: wilbur User Login.
D.3.3 Configure the Unix Host for SYSLOGD
Well, we don’t need that, do we?
Again, the stuff is Copyright by iTouch Communications, Inc.
Concept: November 24, 2002 179
173
Document History
Datum Version Status Remark
24-Nov-2002 0.99 Draft Migrated from old ‘Testbed and Tools’ format
dd-mmm-yyyy . . .
dd-mmm-yyyy . . .
dd-mmm-yyyy . . .
Table 1 Document History
Concept: November 24, 2002 180
Document History
174
Concept: November 24, 2002 180