Hello world!

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

Posted in Uncategorized | 1 Comment

Update on Aircrack-ng suite .. how did i hack my WEP 64B?

Hello all ,

Today tried with one of my very old and lasting desires ūüôā well iam talking about Hacking my own wireless point .. the primary reason i have done this is that i often forget my WEP key and it would be handy to get hold of this mechanism just in case ūüôā

Keeping fun aside , i am studying my Quality of service and other frame-relay Traffic shaping stuff and also wanted to get certified into wireless security domain … first wanted to start with wireless security .. i dint knew much about wireless apart from basic terminology …

i verified and found that BACKTRACK 4 would help me to do the stuff as it had many of the tools out of which AIRCRACK-NG is the most famous and powerful one .. initially i struggled to get that working as not everything was from the manual

for example , the site in their demonstration used wireless channel 9 and number 9 for testing but unfortunately my AP is in channel 1 and my card was in a different channel .. this took me time to figure it out .. for those who want to get their hands dirty and know what am i speaking about try these commands once you are up

airmon-ng stop wlan0

airmon-ng start wlan0 1

this sets up you interface wlan0 in channel 1 and monitor mode would get started .. additionally a mon0 interface was created and here it is how i used it

aireplay-ng -e <essid> -a <ap.mac.addr> <inft(mon0 here)>

Remaining are straight out from ¬†website …and if any one wants to get their hands dirty they can do it but you need to have proper card which can support packet injection … for more details better to contact

airmon-ng official website for hardware support

Regards

Rakesh

var infolink_pid = 46990;
var infolink_wsid = 0;

Posted in How To | Leave a comment

what happens when you give an ip address to an intf without activating it ? what's done after that ?

I was working with some of the Bgp and wide variety of tortures with it and took two routers to see some basic bgp peering again … i have been working with gns3 and cisco routers for a quite some time now and honestly i have never seen or thought about

“what happens when

you assign an ip address to an interface and dont activate it ? and what happens when you activate the interface ?

“Also how duplicate address detected ” I know i know you must be saying well its because of arp packet type called GRATUITOUS ARP .. i have never seen it on the router as of ..so in order for everything to happen let’s get started

why does first ping looks like .!!!! or ..!!! or so on depending on router hops ?

well i know you must be saying some arp .. but lest see what exactly happens with a proper message type and other details ? shall we

Now iam assigning the IP ADDRESS to FA0/0 which is connected to Router R2  FA0/0 from R1 ..Note iam just assigning the IP ADDRESS not ACTIVATING the interface (no shutdown is not yet issued on the interface)

Can you see Arp starting out

*Mar  1 00:09:12.363: ARP DYNAMIC: cancelling refresh on FastEthernet0/0
*Mar  1 00:09:12.367: RT: is_up: FastEthernet0/0 0 state: 6 sub state: 1 line: 1 has_route: False
*Mar  1 00:09:12.367: RT: is_up: FastEthernet0/0 0 state: 6 sub state: 1 line: 1 has_route: False

*Mar  1 00:09:12.363: ARP DYNAMIC: cancelling refresh on FastEthernet0/0*Mar  1 00:09:12.367: RT: is_up:

FastEthernet0/0 0 state: 6 sub state: 1 line: 1 has_route: False*Mar  1 00:09:12.367: RT: is_up: FastEthernet0/0 0 state: 6 sub state: 1 line: 1 has_route: False

Make a note of State No 6 , and has_Route->false statements … most probably when iam activating the interface they should change and a route should be added to routing table may be condition should turn to TRUE

let us see what happens when i issue “NO SHUTDOWN” command

First of all as we can see ARP went out on finding the dynamic entries for that interface … next it started a Arp map for our interface ip 1.0.0.1 with the mac address given there ..

next it is verifying that there is no duplicate address is there on any of the links which are connected .. this you can see it with this message

*Mar  1 00:27:25.059: IP ARP: sent rep src 1.0.0.1 c200.0e1c.0000,

dst 1.0.0.1 ffff.ffff.ffff FastEthernet0/0

every one knows what does all f’s mean … well i mean to say technically f here stands for broadcast …:)

Now after all this .. it inserts the route into the routing table and if you remember the previous state number now we have another state number

*Mar  1 00:27:28.039: RT: is_up: FastEthernet0/0 1 state: 4 sub state: 1 line: 1 has_route: True

*Mar  1 00:27:25.071: RT: add 1.0.0.0/24 via 0.0.0.0, connected metric [0/0]

*Mar  1 00:27:25.075: RT: NET-RED 1.0.0.0/24

Route got added to routing table as you can see after activating the interface ….

Now let me do one more thing … let me assign the same ip address on the other side and see what message pops up or what exactly triggers the duplicate address message …

as soon as i assign that address … g – arp follows its steps and should announce that there is a duplicate address on the segment …

As you can see , There is another statement from IP ARP : GRATUITOUS ARP THROTTLED

Now , lets move on to assigning with an address of 1.0.0.2/24 to the interface

and lets create loopback1 on both the routers with respective 1.1.1.1/24 on R1 and 2.2.2.2/24 on R2

as now you can see .!! as my repeat count was 3 .. first went for arp resolution .. when we see how the R1 has replied to unknown request from R2 … this is how it goes

This is how The entire thing gets resolved .. i hope you enjoyed something as much as i did with this article

Regards,

Rakesh

Posted in CCIE Routing and Switching | Leave a comment

GNS 3 AND AN IDEA !!! THRILLING ONE PER SE

Hello all ,

Today i was working on a ticket which was based on an interface down alert and was observing all the details what Network management system has thrown on my face … i was seeing it and was impressed with amazing details it was showing all of the values … quickly my brain recalled that it was from snmp and i was very happy for my memory power ūüôā haha

as i was thinking about the monitoring system and wanted to set it up so that i could gain some experience on it i went to solar winds website and was happy to see that they are offering a free trial of all of their products ..

the point is how do i have such¬† a huge equipment stance as a Data center ..and quickly i thought about a wild guess of associating the trial Network management system With Gns3 .. i quickly downloaded their Network monitoring software which allowed me to see only one product ..nevertheless i installed it and was thinking how could i associate it with my GNS3 … i did it finally and was seeing all the results and snmp world as iam unware of snmp stuff as such ..still i dont know how it happens as my goal from tomorrow would be precisely that ! .. i got some results and would show that to you …

This is still in Idea phase hope it grows more and gives all of us a huge familiarity of all the technologies with a open source software such as gns3 .. thank you guys @ gns3 who made it possible

Regards

Rakesh

Posted in CCIE Routing and Switching | 2 Comments

Radix Tree ! now i get how x.x.x.x/y works

Well i was studying about Routing policy and their implementation and their power in filtering out and filtering in updates … i knew this before as many access lists , distribute lists and other do the same filtering .. but was studying an interesting thing called Radix tree which showed a very basic way in which ‘1’ or ‘0’ would change the ip address / subnet … i wish i could have showed the same but instead of me telling i would advice you to do some search and feel good after reading !

In the mean while iam working on Quality of service and may be going with some internetwork expert work books … trying to attend Narbik bootcamp in a near by location .. had a chat wid Narbik and waiting for his email for other details

i will post you updated about the ccie and status …. i would be attempting lab some where soon and dnt know how that goes ! iam working with Junipers Adaptive threat Management and Data center architecture ¬† …. some unified solutions

Keep Rocking

Rakesh

Posted in CCIE Routing and Switching | Leave a comment

Juniper m/mx overview continued

M and MX series overiew
———————–

juniper is #2 with 48% market share

consolidation , complexity , reliability , security&compliance is evolution

reduce tco, increase roi , profitability

Advance Routing and sofware
—————————

two tiered collapsed architechture

virtualisation , low latency , carrier class reliablity , qos , security

one operating system , one single software release , one common architechture

junos trio chipset

mx 3d industry leader

carrier class reliability,reduced network complexity , sustainablity and operational efficiency , improved end user exp and app perf , improved network flexibility

mcast distribution tree – spt or source tree / shared tree

forwarding delay – advance asic
transmission – user higher port speeds
propagation – reduce distance between source and recievers
end-to-end latency – implement all of them

forwarding path is full of asic based providing low latency

optimized hardware

i-chip asic for intensive services , pfe , redundancy

nsr – non stop routing , issu in-service software upgrade

graceful routing engine switchover
———————————-

backup routing states are maintained with keepalive mechanism

Nonstop Active Routing
———————-

maintains all the state routing engines , hence no routing latency in switchover

Unified in-service software upgrade
———————————–

can be installed with new versions without
reloading the device by installing it in the standby routing engine

quality of service
——————

standard 8 hardware ques with over 1000 to choose from (mcli)

acl and policers
—————–

m/mx/t have the most flexible and sophisticated policers in the industry

memory allocation – dynamic (mad)
———————————

provides right amount of bandwidth to queues

rewrites / marking
——————

ingress dscp rewrite / egress rewrite
802.1p ieee bits

mpls network virtualisation
—————————

support network segmentation and privacy
improve network security
scales for future growth

enterprise routing portifolio
—————————–

mx – optimized for wan gw , campus , dc aggr and core

m – application at campus backbone , wan edge

t – carrier class multi-service routing system,high perf

mx80 , mx240 , mx480 , mx960

ise – intelligent services edge
——————————-

not a product , its a service which enables high performance and scale , service flexibility and operational efficiency

mx 3d aggregation
——————

16x10gbe ports , 120 gbps (mx 240 mx 480 mx 960)

eantc –¬† european advanced networking test center

mx 3d 100gb3 line card – line rate 100mb

16port ge line card – regional high speed metro network,suitable for large data center

mx80 3d ethernet services router – worlds most powerful 3.5 inch router

mx80 – any where dc

junos space simplicty , reliability ,scalability

mx960 ethernet services router
——————————

14 slot chassis , 172 ports , front to back cooling

dpc – dense port concentrators

re is the daughter card for scb (switch control board)

mx480 ethernet services router
——————————

smaller firm factor than mx960 and offers
half capacity than mx960

8 slot chassis cards (6+2)

side to side cooling

mx240 ethernet services router
——————————

half of mx480 performance

4 slot chassis (2+2 or 3+1)

mx fpc carrier cards (non ethernet intf)

mx architecture
—————-

2-3 switch control boards(scb’s)
scb’s fully redundant
packet order maintained
qos maintained

mx fpc architecture
——————–

pics are hot swappable and support oir
l3 ichip and l2 ese npu as the dpc’s
fpc supports l2 and l3

dpc-r(switching and routing) , dpc-x(scaled-down switching routing) , dpc-q (queing)

mx family has fuller and richer capabilities over ex

M-series
——–

m7i , m10i , m120 , m320

m7i multiservice edge router
—————————-

1 fixed ge or 2 fixed fe ports

16mpps lookup perf

m7i components
————–

4 pic slots , fic 2 fixed fe , side to side cooling , redundant ac or dc pwr supplies,20 g harddrive , pcmcia , 2 serial aux , ethernet card intf, 850 mbps(tunnel services)

m10i multiservice edge router
—————————–

most compact m series w/ fully redundant common hardware

m10i components
—————

8 slots for hot-swappable and exchanble with m5/m7i/m10i pics , redundant re and fe , redundant pwr ac / dc

m120 multiservice edge router
—————————–

120 gigs throughput , 90mpps lookup , 8 queues per intf

m120 arch
———

4+2 fpc slots,one pfe per feb , 10gbps full duplex per slot , 15mpps per feb

m120 10gig capable high-end enterprise router

type 1 : 4pics / fpc 1gig/sec
type 2 : 4pics / fpc 2.5gig/sec
type 3 : 1 pic /fpc 10 gig/sec

two cfpcs for wan intf 10ge or option for no cfpcs

front to back cooled system

routing engineris a daughter card for scb

m120 ip services pic
——————–

provides hw accel
encryption servies pic – ipsec
monitoring services pic – j-flow
tunnel services – gre ipinip
multi-services nat
linkservices – mlppp , mlfr

m320 multiservice edge router
—————————–

same arch as 120 and mx offer with diff type of form factor

8fpc slots , 20gbps full dup , 40mpps per fpc

4 scbs

e3 fpc overview
—————-

type 1(4) , 2(4) , 3(2 – 10gigs each),
redundant power supplies

non – ethernet intfs – then m-series

only ethernet intfs – them mx but you have an option for non-intfs

m-series offer with l3 where as mx can as work as l2

partner solution development platform

customers
———

nyse – new york stock exchange
doe  Рdepartment of energy
laboratory of neuro imaging

Regards

Rakesh

Posted in CCIE Routing and Switching | Leave a comment

Overview of Juniper srx series in Brief

upgrade path
————-

cisco vs juniper

1600 series vs srx 100

1600->1700->1800 to ssg20, srx210

2500->2600->2800 to srx140,srx240,j2320,j2350,j4350

3600->3700->3800 to srx650,j4350,j6350

7200->7600->M7i srx3000 or srx5000(worlds fastest fw)

7500->7600-> m series or srx3000/srx5000

————-

srx and j-series features
————————-

best in class routing with bgp , rip , ospf , mcst , isis

rich set of wan and lan intf

quality of service

support acl , stateful fw inspect , ipsec , ddos screeing , ids ips , webfilt ,

mpls ce pe and ipv6 routing

fw , nat ,ipsec etc

—————

power of junos
————–

one os(branch and core)  , one release , one architechture

quaterly release process

stand-alone modules and seperation of control and packet forwarding planes

NextGen data plane (alg for instance)

NextGen software is based on screen os
(junos smp kernel with embedded junos features)

firewall processing has been enhanced with best of netscreen and junos with a single lookup and also policy implementation

fw processing  also has DOS and ACL filter with special hardware

session-aware processing avoids policy-matching

SRX series : zones and policies (simplify management)

NEXTGEN NAT : zone based security policy which seperates nat from security policy and no need for loopback-grps or dummy static routes

security policies and NAT are independent

—————————————–

UNIFIED THREAT MANAGEMENT : UTM
——————————-

antivirus – kaspersky
webfiltering – websense / surfcontrol
content filtering
antispan – symantec

url whitelists can be used to bypass scanning of traffic from some sites

mime lists can be set up to bypass scanning of some traffic

webfiltering
———–

Integrated (surfcontrol) and redirect(websense)

a global whitelist/blacklist can be configred

redirect solution

Juniper networks-websense WF soultions
————————————–

Integrated webfiltering and location is in cloud

redirect webfilter is located in same network

ease-of-use is good for integrated webfiltering

latency is good for redirect web filtering

what to use depends on needs of requirement and latency issues

Content Filtering
—————–

control traffic based on MIME type , file extention , protocol commands

ANTISPAM
——–

ip address recognition based on symantec database provider (SPM RBL)

DYNAMIC VPN SERVICE — Access Manager Client
——————————————–

supported on srx100 , srx210 , srx240 not on srx650

layer 3 ipsec client that is automatically downloaded from a junos device
ssl fallback for tcp traversal

will replace NS-REMOTE which was on screen os and NS-REMOTE on srx

SRX FOR THE BRANCH OVERVIEW
—————————

srx100
srx210
srx240
srx650

srx series offers routing and security

all srx will have
——————

routing and switching
firewall and vpn
utm
ids and ips
uac – unified access control
voice services
power over ethernet 802.3at(30watt/port) versus 802.3af (15.4watt/port)

Antivirus

two av engines

full av kaspersky
express av – packet / content security accelarator

full av is high detection and express av is high performance

performance , coverage , memory utilsation

in express av the packet is sent as is and there is no huge av db
in full av the packet is reconstructed as is upto 20 mb and hence more cpu

When performance and memory utilization is a concern , use Express AV

when coverage rate is a concern use fULL av

————-

srx100(small)
——

8xfe , 1 usb , fw 175mbps , vpn 75 mbps , idp 50 mbps , no poe , no voi port , a/a or a/p conn (active , passive) , full utm features

srx210(small)
——

2xge+6 fe , 1 mini pim , 3g slot , usb 2 , voice ports optional 2xfxs 2xfxo or mini-pim , fw perf 250Mbps , vpn 85Mbps , idp 80Mbps , a/a , a/p
4 poe ports (50w total),full utm features

low mem 512mb ram / 1gb flash
high mem 1gb ram / 1 gb flash(comes with regex accelaration for av and idp)

srx240(small to medium)
——

16xge , mini pim 4 , 3g wireless , usb 2 , poe 16ports (150w) , optional 2xfxs , fw 500mbps , vpn 200mbps , idp 250 mbps , a/a a.p (smb) , full  utm

srx650(medium)
——

4xge , gpim 8 , usb 2 per processor,poe upto 48 ports (250w or 500w) , pstn voice ports 8 analog , 2 t1/e1 per gpim , fw 2.5gbps , vpn 1.5 gbps,idp 900mpbs , a/a or a.p or dual power , full utm

2 process module slots (sre services and routing enginer backup sre , application co processor engine ACE card)

uac l3 enforcement points

Mid-plane design and modular ,  8 gpim slots not hot-swap as of now

—————-

Wireless
——–

ax411 blend high perf 802.11n with srx

rapid setup and centralized monitoring of remote sites

integrated

802.11n client adapter choosing should be good

ax411 is 180mbps peak throughput

oversubscription rates 4:1 or 8:1

provisioning model
——————

ap request an ip address using DHCP

DHCP should be configured on SRX gateways

you cannot plug ap into first port of gig eth as it is dhcp client

zero config
———–

except first port of gig e all others are in default-vlan and are in trust zone

plug ap into any of the other ports its as simple as that

L2 Management Mode
——————-

in l2 mode all ports are conn to intf in switching mode

all aps belong to same l3 network

roaming is supported and tranparent to srx series

L3 Management Mode
——————

In l3 mode all ap ports are connected to intf in routing mode

each ap’s belong to diff l3 network

in this mode roaming is not supported

client isolation can be enforced

authentication
————–

local and radius mac

802.1x

wep , wpa , wpa2 with eap based protocols

at srx series gateways
———————-

fw auth with local redirect for local auth

utm,idp,uac,wan accl,ip sec

Junipers Networks 3G Networks
—————————–

Bridge or Integrated with SRX210 integrated 3G

deployment options

on-demand dialing
backup interface
prefix monitoring

rpm monitoring scripts cab be used for failover

Dialer interfaces
—————–

dialer intf are pseudo intfs

J-Series overview
—————–

juniper networks with avaya voip solution with cme configured at remote end

wxc ism200 application accelaration for j2320 , j2350 , j4350 , j6350

unmatched performance when services are turned on

j2320
—–

4ports ge , 3 pims , internal and external c-flash , optional encry card ,supports avaya ip telephony module

j2350
——

5 pim slots , 4 ge , nebs and dc pwr , optional encryp and supports avaya telephony module

j4350
——

4 ge ports , 4pims , 2 epims , supoprts avaya media gateway , dc version available, low mem ver 256mb flash or high end 1gb , optional encryp

j6350
——

4fixed ge lan ports , 2pim slots and 4 epim slots , supports avaya media gateway , dc version available , hardware encryp standard , 1gb dram max 2gb , nebs compliant

pims , enchance pim , universal pim

double the speed whn services when compared with CISCO ISR

30% lower than cisco isr products

Enterprise routing portifolio
—————————–

srx 240 – srx 650 with j-series in between

greenfield acounts – lead with srx series

screen os installed base – go ahead with ssg

existing junos cust – introude srx would be more sense

federal govrnt – then ssg series

managed services – srx

3g connectivity – srx

poe – srx series

wlan today – ssg

ipv6 security – ssg

anything between srx240 – srx650 is j-series

ssg products provides deep inspection are replaced with ips on srx

express av – hardware specific required

srx dosent support wan accel

Regards

Rakesh

Posted in CCIE Routing and Switching | Leave a comment

Status update and other things to share

Hello all¬† ! hope everyone is doing good ! there are somethings to share .. first of all iam with¬† various firms as a consultant and been doing some work in setting up their networks and the other way is iam working with a juniper systems elite partner ! .. juniper is not that hard or illogical per se and its good to have so many resources available in juniper site . iam a juniper certified sales associate for m/mx series router platforms now ! … does this mean iam off with ccie track ?

A big No .. i almost done with all sorts of my prep work and in final stages to launch the official labbing experience and scenarios .. i was not getting enough time to blog and keep you informed with my status updates !

ok … as iam done with most of my technologies .iam now going through INE extended blue print which is well written by Anthony Here is the link

http://blog.ine.com/2009/05/12/ccie-rs-4x-expanded-study-blueprint/

For next week i will be on Spanning tree from layer 2 and  GRE tunnel and keep alive mechanisms from Layer 3 . just was going through a cisco doc on gre tunnel keep alive mechanism and was surprised as how Ethernet keepalives work

i will try to do a packet capture and see if that is how it works out … but to make it a soft finish let me brief you about what i read.. A detailed keepalive notes would be posted , this is just a what i have read about ethernet keepalives

ETHERNET KEEPALIVES

Generally keepalives are designed if the path to any particular neighbor is reachable and valid .. but on Ethernets it works in a different and strange way as there are many neighbors in a ethernet segment … A keepalive in this case of ethernet is designed such that local system has a read and write access to the ethernet segment itself ..

The Process

The router which for that matter any router local to itself produces a ethernet packet with source and destination mac addresses as itself and special ethernet code of 0x9000 .. as the packet reaches ethernet hardware , it immediately sends and receives the same packet which should confirm the whole purpose of keepailve mechanism ..

This is amazing for me as of now i dint knew this and as i have known if now i will try to lab it up and see if i can catch the same packet

Regards

Rakesh

Posted in CCIE Routing and Switching | 1 Comment

IP SLA …. GOT IT FINALLY :)

Been so many sleep less nights wondering what ip sla was until i configured it my self .

Ip sla is basically as one of the methods for enhanced object trackings .

Few names for IP sla

Ip sla -> service level agreeement

or

RTR -> response time reporter

or

SAA -> service assurance agent

Ip sla is used to track many things including DELAY , apps response time such as HTTP , DHCP , DNS , TCP and also reachability using ICMP ECHO

We will basically use it for FHRP (first hop redundancy tracking)

Here is the scenario with HSRP Enabled routers. i would use ip sla to track the interfaces and their status and if active goes down then standby should take over with the help of Ip sla . unlike interface tracking this is fun and powerful as i have added something spicy into the topology

here is what i have done

Initial Congiruation

R1

router eigrp 1

net 10.0.0.0

net 13.0.0.0

pass fa0/0

no auto

same conf on R2

r3

int l1

ip addr 1.1.1.1 255.255.255.0

router eigrp 1

net 13.0.0.0

net 23.0.0.0

net 1.0.0.0

no auto

R4 has a special configuration and will act like a host . so lets turn off routing for it

r4(conf)#no ip routing

r4(conf)#ip default-gateway 10.0.0.10 -> this would be hsrp Virtual Ip address .

int fa0/0

ip addr 10.0.0.4 255.255.255.0

—————

before enabling HSRP we should not be able to ping the V.ip lets verify it on R4

r4#ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

r4#ping 10.0.0.10
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:…..Success rate is 0 percent (0/5)

let us enable HSRP now on R1 and R2

r1(config)#int fa0/0

r1(config-if)#standby 1 ip 10.0.0.10

r1(config-if)#standby 1 preempt

r1(config-if)#exit

r1(config)#

*Mar  1 00:14:58.659: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

r1(config)#

————
r2(config)#int fa0/0
r2(config-if)#standby 1 preempt
r2(config-if)#standby 1 ip 10.0.0.10
r2(config-if)#end
r2#
*Mar  1 00:15:07.643: %SYS-5-CONFIG_I: Configured from console by console
r2#
*Mar  1 00:15:26.727: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
r1#show standby brief
P indicates configured to preempt.
|
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    100 P Active  local           10.0.0.2        10.0.0.10
r1#
Now lets try to ping 10.0.0.10 from R4 host
Bingo
r4#ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/259/1072 ms
r4#
lets try and see pinging 1.1.1.1 from R4 host
r4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/56/84 ms
r4#
r4#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
1 10.0.0.1 84 msec 96 msec 24 msec
2 13.0.0.3 48 msec *  68 msec
as traceroute indicates it is indeed taking R1 .
without implementing any ip sla lets shutdown fa0/0 port of R1 and see our results . R4 should now take R2
r1(config)#int fa0/0
r1(config-if)#shut
r1(config-if)#
*Mar  1 00:19:01.699: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Init
r2#show standby brief
P indicates configured to preempt.
|
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    100 P Active  local           unknown         10.0.0.10
r2#
Now R4 is taking R2 as the gateway
r4#ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/31/124 ms
r4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/48/128 ms
r4#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
1 10.0.0.2 112 msec 32 msec 12 msec
2 23.0.0.3 84 msec *  116 msec
r4#
—–
now standby router took over as interface local to us went down . But what happens if the interface on the other end goes down ? .. yes we still have options such as interface tracking to employ but we will go with Ip sla and implement Enhanced object tracking .
r1(config)#ip sla 1
r1(config-ip-sla)#?
IP SLAs entry configuration commands:
dhcp         DHCP Operation
dlsw         DLSW Operation
dns          DNS Query Operation
exit         Exit Operation Configuration
frame-relay  Frame-relay Operation
ftp          FTP Operation
http         HTTP Operation
icmp-echo    ICMP Echo Operation
icmp-jitter  ICMP Jitter Operation
mpls         MPLS Operation
path-echo    Path Discovered ICMP Echo Operation
path-jitter  Path Discovered ICMP Jitter Operation
slm          SLM Operation
tcp-connect  TCP Connect Operation
udp-echo     UDP Echo Operation
udp-jitter   UDP Jitter Operation
voip         Voice Over IP Operation
r1(config-ip-sla)#icmp-echo ?
Hostname or A.B.C.D  Destination IP address or hostname, broadcast disallowed
r1(config-ip-sla)#icmp-echo 1.1.1.1 ?
source-interface  Source Interface (ingress icmp packet interface)
source-ip         Source Address
<cr>
r1(config-ip-sla)#icmp-echo 1.1.1.1
r1(config-ip-sla-echo)#?
IP SLAs echo Configuration Commands:
default            Set a command to its defaults
exit               Exit operation configuration
frequency          Frequency of an operation
history            History and Distribution Data
no                 Negate a command or set its defaults
owner              Owner of Entry
request-data-size  Request data size
tag                User defined tag
threshold          Operation threshold in milliseconds
timeout            Timeout of an operation
tos                Type Of Service
verify-data        Verify data
vrf                Configure IP SLAs for a VPN Routing/Forwarding instance
r1(config-ip-sla-echo)#frequency 3
%Illegal Value:  Cannot set Frequency to be less than Timeout
r1(config-ip-sla-echo)#timeout 2000
r1(config-ip-sla-echo)#exit
r1(config)#
r1(config)#track 1 ?
application  Application
interface    Select an interface to track
ip           IP protocol
list         Group objects in a list
rtr          Response Time Reporter (RTR) entry
stub-object  Stub tracking object
r1(config)#track 1 rtr 1 ?
reachability  Reachability
state         Return code state
<cr>
r1(config)#track 1 rtr 1 state ?
<cr>
r1(config)#track 1 rtr 1 state
r1(config-track)#?
Tracking instance configuration commands:
default  Set a command to its defaults
delay    Tracking delay
exit     Exit from tracking configuration mode
no       Negate a command or set its defaults
r1(config-track)#exit
r1(config)#
r1(config)#int fa0/0
r1(config-if)#standby 1 track 1 decrement 255
r1(config-if)#exit
r1(config)#
similarly on R2
now what i will shut down fa0/1 of R3 which is connecting to R2 active router of hsrp this should trigger Ip sla and R1 should take over .
we have forgot one of the most important commands
r1(config)#ip sla schedule 1  start-time now life forever
r2(config)#ip sla schedule 1 start-time now life forever
r2#show ip sla stat
Round Trip Time (RTT) for       Index 1
Latest RTT: 107 milliseconds
Latest operation start time: *00:32:34.023 UTC Fri Mar 1 2002
Latest operation return code: OK
Number of successes: 4
Number of failures: 0
Operation time to live: Forever
r3(config)#int fa0/1
r3(config-if)#
r3(config-if)#
r3(config-if)#shut
r3(config-if)#
*Mar  1 00:33:32.727: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 23.0.0.2 (FastEthernet0/1) is down: interface down
r3(config-if)#
*Mar  1 00:33:34.483: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar  1 00:33:35.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
r3(config-if)#
r2#debug ip sla error
IP SLAs ERROR debugging for all operations is on
r2#
*Mar  1 00:33:38.007: %TRACKING-5-STATE: 1 rtr 1 state Up->Down
r2#
*Mar  1 00:33:40.527: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
r2#
*Mar  1 00:33:46.283: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 23.0.0.3 (FastEthernet0/1) is down: holding time expired
r2#
*Mar  1 00:33:50.527: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
r2#
look at sla debug message
Mar  1 00:33:38.007: %TRACKING-5-STATE: 1 rtr 1 state Up->Down
r4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 32/73/120 ms
r4#traceroute 1.1.1.1
Type escape sequence to abort.
Tracing the route to 1.1.1.1
1 10.0.0.1 164 msec 68 msec 16 msec -> its going through r1 now
2 13.0.0.3 28 msec
lets us look at sla output message
r2#show ip sla stat
Round Trip Time (RTT) for       Index 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *00:35:34.023 UTC Fri Mar 1 2002
Latest operation return code: Timeout ———————> SEE ITS TIMEOUT HERE
Number of successes: 4
Number of failures: 3
Operation time to live: Forever
Now i would make some changes .. first i would increase the priority of R2 to 110 from defaul HSRP priority of 100 and then i will no shut or bring up the interface on R3 . lets see how sla tracks that .
r2
int fa0/0
standby 1 priority 110
R3
int fa0/0
no shut
r2#
*Mar  1 00:40:54.455: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 23.0.0.3 (FastEthernet0/1) is up: new adjacency
r2#
*Mar  1 00:41:34.543: %TRACKING-5-STATE: 1 rtr 1 state Down->Up
*Mar  1 00:41:34.731: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active
r2#
———–
This can be extended to track any protocol and can be used in any FHRP process as an effective tool .
Posted in CCIE Routing and Switching | Leave a comment

Gateway Redundancy protocols ! First hop Redundancy

Brief topology and configuration of protocol

HSRP Configuration

int fa0/0

standby 1 ip 10.0.0.10

standby 1 preempt

r1(config-if)#standby 1 ip 10.0.0.10
r1(config-if)#
*Mar  1 00:07:18.415: HSRP: Fa0/0 Starting minimum interface delay (1 secs)
*Mar  1 00:07:18.415: HSRP: Fa0/0 Grp 1 Set group MAC 0000.0000.0000 -> 0000.0c0                                                                             7.ac01
*Mar  1 00:07:18.419: HSRP: Fa0/0 MAC entry 0000.0c07.ac01 created
*Mar  1 00:07:18.419: HSRP: Fa0/0 MAC entry 0000.0c07.ac01, Added Fa0/0 Grp 1 to                                                                              list
*Mar  1 00:07:18.435: HSRP: Fa0/0 Grp 1 Disabled -> Init
*Mar ¬†1 00:07:18.435: HSRP: Fa0/0 Grp 1 Redundancy “hsrp-Fa0/0-1” state Disabled ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†-> Init
*Mar ¬†1 00:07:18.439: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” added
*Mar ¬†1 00:07:18.439: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” update, Disabled ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†-> Init
*Mar  1 00:07:19.415: HSRP: Fa0/0 Interface min delay expired
*Mar  1 00:07:19.415: HSRP: Fa0/0 Grp 1 Init: a/HSRP enabled
*Mar  1 00:07:19.415: HSRP: Fa0/0 Grp 1 Init -> Listen
*Mar ¬†1 00:07:19.419: HSRP: Fa0/0 Grp 1 Redundancy “hsrp-Fa0/0-1” state Init -> ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†Backup
*Mar ¬†1 00:07:19.419: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” update, Init -> B ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ackup
r1(config-if)#
*Mar  1 00:07:29.415: HSRP: Fa0/0 Grp 1 Listen: c/Active timer expired (unknown)
*Mar  1 00:07:29.415: HSRP: Fa0/0 Grp 1 Listen -> Speak
*Mar ¬†1 00:07:29.415: HSRP: Fa0/0 Grp 1 Redundancy “hsrp-Fa0/0-1” state Backup – ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† > Speak
*Mar ¬†1 00:07:29.419: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” update, Backup -> ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†Speak
r1(config-if)#
*Mar  1 00:07:39.415: HSRP: Fa0/0 Grp 1 Speak: d/Standby timer expired (unknown)
*Mar  1 00:07:39.415: HSRP: Fa0/0 Grp 1 Standby router is local
*Mar  1 00:07:39.415: HSRP: Fa0/0 Grp 1 Speak -> Standby
*Mar ¬†1 00:07:39.415: HSRP: Fa0/0 Grp 1 Redundancy “hsrp-Fa0/0-1” state Speak -> ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†Standby
*Mar ¬†1 00:07:39.419: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” standby, unknown ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†-> local
*Mar ¬†1 00:07:39.419: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” update, Speak -> ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†Standby
*Mar  1 00:07:39.915: HSRP: Fa0/0 Grp 1 Standby: c/Active timer expired (unknown                                                                             )
*Mar  1 00:07:39.915: HSRP: Fa0/0 Grp 1 Active router is local
*Mar  1 00:07:39.915: HSRP: Fa0/0 Grp 1 Standby router is unknown, was local
*Mar  1 00:07:39.915: HSRP: Fa0/0 Grp 1 Standby -> Active
*Mar  1 00:07:39.915: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby Р                                                                            > Active
r1(config-if)#
*Mar ¬†1 00:07:39.915: HSRP: Fa0/0 Grp 1 Redundancy “hsrp-Fa0/0-1” state Standby ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†-> Active
*Mar  1 00:07:39.919: HSRP: Fa0/0 Grp 1 Activating MAC 0000.0c07.ac01
*Mar  1 00:07:39.923: HSRP: Fa0/0 Grp 1 Adding 0000.0c07.ac01 to MAC address fil                                                                             ter
*Mar ¬†1 00:07:39.923: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” standby, local -> ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†unknown
*Mar ¬†1 00:07:39.923: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” update, Standby – ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† > Active
r1(config-if)#
*Mar ¬†1 00:07:42.919: HSRP: Fa0/0 IP Redundancy “hsrp-Fa0/0-1” update, Active -> ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬† ¬†Active
r1(config-if)#standby 1 preempt
r1(config-if)#
*Mar  1 00:08:14.383: HSRP: Fa0/0 Nbr 10.0.0.3 Adv in, active 0 passive 1
*Mar  1 00:08:14.387: HSRP: Fa0/0 Nbr 10.0.0.3 created
*Mar  1 00:08:14.387: HSRP: Fa0/0 Nbr 10.0.0.3 is passive
r1(config-if)#
*Mar  1 00:08:34.383: HSRP: Fa0/0 Grp 1 Standby router is 10.0.0.3
*Mar  1 00:08:34.383: HSRP: Fa0/0 Nbr 10.0.0.3 is no longer passive
*Mar  1 00:08:34.387: HSRP: Fa0/0 Nbr 10.0.0.3 standby for group 1
r1(config-if)#
*Mar  1 00:08:57.179: HSRP: Fa0/0 Nbr 10.0.0.2 Adv in, active 0 passive 1
*Mar  1 00:08:57.183: HSRP: Fa0/0 Nbr 10.0.0.2 created
*Mar  1 00:08:57.183: HSRP: Fa0/0 Nbr 10.0.0.2 is passive
r1(config-if)#end
r1#show
*Mar  1 00:09:23.027: %SYS-5-CONFIG_I: Configured from console by console
r1#show standby ?
FastEthernet  FastEthernet IEEE 802.3
Port-channel  Ethernet Channel of interfaces
all           Include groups in disabled state
brief         Brief output
capability    HSRP capability
delay         Group initialisation delay
internal      Internal HSRP information
neighbors     HSRP neighbors
redirect      HSRP ICMP redirect information
|             Output modifiers
<cr>
r1#show standby nei
HSRP neighbors on FastEthernet0/0
10.0.0.2
No active groups
No standby groups
Passive timer expires in 172.148
10.0.0.3
No active groups
Standby groups: 1
r1#show standby ?
FastEthernet  FastEthernet IEEE 802.3
Port-channel  Ethernet Channel of interfaces
all           Include groups in disabled state
brief         Brief output
capability    HSRP capability
delay         Group initialisation delay
internal      Internal HSRP information
neighbors     HSRP neighbors
redirect      HSRP ICMP redirect information
|             Output modifiers
<cr>
r1#show standby internal
Global           Confg: 0000
Fa0/0 If hw      Gt96k FE (18), State 0x210040
Fa0/0 If hw      Confg: 0000
Fa0/0 If hw      Flags: 0000
Fa0/0 If sw      Confg: 0000
Fa0/0 If sw      Flags: 0000
Fa0/0 Grp 1      Confg: 0012, IP_PRI, PREEMPT
Fa0/0 Grp 1      Flags: 0000
HSRP MAC Address Table
173 Fa0/0 0000.0c07.ac01
Fa0/0 Grp 1
r1#show standby ?
FastEthernet  FastEthernet IEEE 802.3
Port-channel  Ethernet Channel of interfaces
all           Include groups in disabled state
brief         Brief output
capability    HSRP capability
delay         Group initialisation delay
internal      Internal HSRP information
neighbors     HSRP neighbors
redirect      HSRP ICMP redirect information
|             Output modifiers
<cr>
r1#show standby redirect
Interface          Redirects Unknown   Adv      Holddown
FastEthernet0/0    enabled   enabled   30       180
Active                Hits  Interface Group Virtual IP            Virtual MAC
local                 0     Fa0/0     1     10.0.0.10             0000.0c07.ac01
Passive               Hits  Interface Expires in
10.0.0.2              0     Fa0/0     166.720
r1#show standby summary
^
% Invalid input detected at ‘^’ marker.
r1#show stan ?
FastEthernet  FastEthernet IEEE 802.3
Port-channel  Ethernet Channel of interfaces
all           Include groups in disabled state
brief         Brief output
capability    HSRP capability
delay         Group initialisation delay
internal      Internal HSRP information
neighbors     HSRP neighbors
redirect      HSRP ICMP redirect information
|             Output modifiers
<cr>
r1#show stan brief
P indicates configured to preempt.
|
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    100 P Active  local           10.0.0.3        10.0.0.10
r1#
r1#
r1#show standby
FastEthernet0/0 – Group 1
State is Active
2 state changes, last state change 00:03:44
Virtual IP address is 10.0.0.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.272 secs
Preemption enabled
Active router is local
Standby router is 10.0.0.3, priority 100 (expires in 7.752 sec)
Priority 100 (default 100)
Group name is “hsrp-Fa0/0-1” (default)
r1#

Posted in CCIE Routing and Switching | 3 Comments