Network static Lab workbook

The Brest LaboratoryDoosthofer Weg 821698 BrestGermanyhttp://www.brest-lab.net

Logbook Section 1

The Static LaboratoryVersion 0.99

November 2002

Markus Boingmailto://[email protected]

D R A F TTODO: Update router configuration profiles

Concept: November 24, 2002 1

brennerp

Draft

brennerp

Draft

brennerp

Draft

i

Contents

1 Introduction 11.1 Document Purpose 11.2 Research Resources 1

2 Network Architecture 52.1 Topology Overview 52.2 Design Considerations 52.3 Design Constraints 5

3 Office Network 73.1 Physical Design 73.2 Logical Design 83.3 Network Services 83.3.1 Internet Access 83.3.2 DHCP 93.3.3 DNS 93.3.4 TFTP 93.3.5 Printing 93.3.6 X11 9

4 Lab Network 124.1 Physical Design 124.1.1 Software 13

IOS-MPLS 13NetBSD-MPLS 13IOS-Edge 13NetBSD-Core 13IOS-Pagent 13Configuration Files 13

4.1.2 Hardware 154.2 Logical Design 16

Zebra OSPFd 164.2.1 MPLS 184.2.2 IPv6 19

Topology 19Physical Design 19Addressing 19Routing 20Host Access 21

5 Network Services 275.1 DNS 275.2 FTP and TFTP 275.3 Logging 275.4 NTP 275.5 Printing 27


ii

5.6 netdb (http://www.net.cmu.edu/netreg/) 275.7 VideoLAN (www.videolan.org) 275.8 Kismet (www.kismetwireless.net) 275.9 Network Verification Toolkit 285.9.1 Some Tools that come with IOS 28

Service Assurance Agent 28Traffic Matrix Statistics 29

5.9.2 Pagent 32LNE BGP 33LNE OSPF 35TGN 38

5.9.3 Expect 425.9.4 Ploticus 435.9.5 NRFU 455.9.6 Cricket and RRDTool 465.9.7 MRTG 475.9.8 Ethereal (www.ethereal.com) 515.9.9 Etherape (etherape.sourceforge.net) 515.10 Authentication Services 525.10.1 RADIUS 525.11 Security Toolkit 53

A Configuration Log 54A.1 Basic IPv4 Configuration 54A.1.1 Common Configuration - NTP, SNMP, Administrative Access 54A.1.2 Common Configuration - RADIUS 56A.1.3 Router Core1 - IPv4 58A.1.4 Router Core2 - IPv4 61A.1.5 Router Core3 - IPv4 64A.1.6 Router Core4 - IPv4 67A.1.7 Router Edge1 - IPv4 68A.1.8 Router Edge2 - IPv4 70A.1.9 Router Zerberus - IPv4 72A.1.10 Host Anchor - IPv4 73A.1.11 Host Dinghy - IPv4 74A.2 IPv6 Configuration 78A.2.1 Router Anchor - IPv6 78A.2.2 Router Dinghy - IPv6 84A.2.3 Router Edge1 - IPv6 89A.2.4 Router Edge2 - IPv6 91A.2.5 Router Core4 - IPv6 93A.3 RADIUS 99A.4 Ploticus 101A.5 MRTG 104A.6 Expect 107

B Problem and Resolution Log 113B.1 2002-09-00 - Installing NetBSD on SGI Indy 113B.1.1 Status: SOLVED 113B.1.2 Symptom 113


iii

B.1.3 Analysis 113B.1.4 Solution 114B.1.5 Symptom 115B.1.6 Analysis 115B.1.7 Solution 115B.1.8 Symptom 115B.1.9 Analysis 115B.1.10 Solution 116B.2 2001-10-06 - GateD: No IP forwarding 117B.2.1 Status: SOLVED 117B.2.2 Symptom 117B.2.3 Analysis 117B.2.4 Solution 117B.3 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency 118B.3.1 Status: SOLVED 118B.3.2 Symptom 118B.3.3 Analysis 120B.3.4 Solution 123B.4 2001-03-17 - RADIUS on DEC Alpha running NetBSD 124B.4.1 Status: OPEN 124B.4.2 Symptom 124B.4.3 Analysis 124B.4.4 Solution 126

C Activity Log 127C.1 How to add IPv6 to the Lab Network 127C.1.1 Configure Route Reflectors 127

Enable IPv6 on Anchor and Dinghy 127Configure IPv6 Addresses on Ethernet and Loopback Interfaces 128Create Tunnel between Anchor and Dinghy 128Configure iBGP between Anchor and Dinghy 130

C.1.2 Configure Cisco Edge Router 136Enable IPv6 on Edge Router 136Configure Tunnels 136Configure BGP on Route Reflectors 138Configure BGP on Cisco Edge Router 140Test Static Route and Tunnel 141Check BGP 142Configure RIPv6 150

C.1.3 Configure NetBSD/Zebra Edge Router 152C.2 Configuring DJBDNS 153

D Xyplex MaxServer 1600 158D.1 Access Server Administrator’s Primer 158D.1.1 Bootstrap 158

Software Image 158D.1.2 Parameter File 159D.1.3 Login 160D.1.4 Configuration 160D.1.5 Rebooting 162


iv

D.1.6 Normally NOT Suggested 163D.1.7 Additional Information 164D.1.8 Additional Documentation and Resources 164D.2 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults 166D.2.1 Configuring MX1600 To Load Image Via DTFTP 168D.3 Configuring SYSLOG On Access Servers 171D.3.1 Configure the Access Server for SYSLOGD 171D.3.2 *Setting a Priority Number 171D.3.3 Configure the Unix Host for SYSLOGD 172

Document History 173


v

Figures

2.1 Network Architecture 63.1 Office Network - Physical Design 103.2 Office Network - Logical Design 114.1 Lab Network - Physical Design 224.2 Lab Network - Logical Design 234.3 Lab Network - IPv6 Logical Design 244.4 Lab Network - IPv6 Routing 254.5 Lab Network - MPLS Logical Design 265.1 Pagent TGN 415.2 Expect script rtr3 425.3 Example of a Ploticus CPU utilization graph 435.4 Example of a Ploticus memory utilization graph 445.5 Example of a MRTG CPU utilization graph 485.6 Example of a MRTG memory utilization graph 495.7 Example of a MRTG free memory graph 50


vi

Tables

3.1 Office Network - Inventory 73.2 Office Network - IP Address Assignment 84.1 Lab Network - Inventory 154.2 Lab Network - IP Address Assignment 171 Document History 173


1

1 Introduction

During the course of my lab sessions I found myself frequently re-cabling boxes and typing basicconfiguration statements into routers. I thought it would be convenient to have a default laboratoryconfiguration that does support a wide variety of experiments without significant changes in the physicalsetup.

Also I found myself occasionally in a situation where my wife wanted to so something fancy, such asprinting a letter or surfing the web, and could not do so because I was using the equipment.

To solve my problem I developed a network architecture that is separated in two parts, an office networkand a laboratory network.

Office network (also termed ”production network”) provides a stable environment for tasks that arenot directly related to laboratory work such as providing Internet access to my family. However, theservices of the office network are also available to the laboratory network.

Laboratory network provides the network engineers playground.

1.1 Document Purpose

Purpose of this document is describing both office and laboratory network including:

• Network architecture

• Network services

• Devices and device configuration

• Key software tools used in the network

• ”Cheat sheet” for common configuration problems

• Problem and problem resolution log

1.2 Research Resources

Cisco Router Cisco’s web site (http://www.cisco.com/tac/) provides a wealth of information for thenetwork professional ranging from networking basics to in-depth treatment of Cisco products.

SNMP Object Navigator http://www.cisco.com/cgi-bin/Support/Mibbrowser/unity.pl

Xylan PizzaSwitch Xylan has been aquired by Alcatel (http://www.ind.alcatel.com/). Some of theold PizzaSwitches (at least parts of them) are still alive under the name OmniSwitch.

Xyplex Terminal Server iTouch Communications (http://www.itouchcom.com/) has taken over theold Xyplex product line.1

The documentation used to be at the URL http://www.nbase-xyplex.com/support/documentation/ and documentation1

specific to the Maxserver 1600 was available at the URL http://www.nbase-xyplex.com/support/documentation/product/guide/index.cfm?doc=accessserver.


Introduction Research Resources

2

Conserver (http://www.conserver.com/) is an application that allows multiple users to watch a serialconsole at the same time. It can log the data, allows users to take write-access of a console (one ata time), and has a variety of bells and whistles to accentuate that basic functionality. The idea isthat conserver will log all your serial traffic so you can go back and review why something crashed,look at changes (if done on the console), or tie the console logs into a monitoring system (justwatch the logfiles it creates). With multi-user capabilities you can work on equipment with others,mentor, train, etc. It also does all that client-server stuff so that, assuming you have a networkconnection, you can interact with any of the equipment from home or wherever.

The Greater Scroll of Console Knowledge (http://www.conserver.com/consoles/) provides links tovarious pages with information regarding serial ports, console servers, and the Conserver program.

Stokely Consulting (http://www.stokely.com/) provides Unix serial port and system administratorresources.

tcpdump The home page of tcpdump and libpcap can be found at the URL http://www.tcpdump.org/.

Ethereal is a network protocol analyzer for Unix and Win32. The home page of Ethereal can be foundat the URL http://www.ethereal.com/.

Scotty The home page of Scotty can be found at the URL http://wwwhome.cs.utwente.nl/ schoenw/scotty/.Information on Scotty and other network management tools, such as libsmi, can be found at theTU Braunschweig at the URL http://www.ibr.cs.tu-bs.de/projects/nm/.

libsmi The home page of the libsmi library can be found at the URL http://www.ibr.cs.tu-bs.de/projects/libsmi/.

GxSNMP is a network management application for the GNOME project. The home page of GxSNMPcan be found at the URL http://www.gxsnmp.org.

http://www.snmplink.org/ This site provides links and information about SNMP/MIB etc. It facil-itates a good list of SNMP and network management related tools.

MRTG (Multi Router Traffic Grapher) is a tool to monitor the traffic load on network links. MRTGgenerates HTML pages containing graphical images which provide a live visual representation ofthis traffic. The home page of MRTG (Multi Router Traffic Grapher) can be found at the URLhttp://ee-staff.ethz.ch/ oetiker/webtools/mrtg/mrtg.html.

RRDTool is a system to store and display time-series data such as network bandwidth utilization. Itstores the data in a very compact way that will not expand over time, and it presents useful graphsby processing the data to enforce a certain data density. It can be used either via simple wrapperscripts (from shell or Perl) or via frontends that poll network devices and put a friendly user interfaceon it.

If you know MRTG, you can think of RRDtool as a reimplementation of MRTGs graphing andlogging features. Magnitudes faster and more flexible than you ever thought possible

The home page of RRDTool can be found at the URL http://www.rrdtool.org/.

Cricket is a very flexible system for monitoring trends in time-series data. Cricket was expresslydeveloped to help network managers visualize and understand the traffic on their networks. It hastwo components, a collector and a grapher. The collector runs periodically from cron and storesdata into a data structure managed by RRDTool. Later, when you want to check on the data youhave collected, you can use a web-based interface to view graphs of the data.



3

Cricket reads a set of configuration files called a config tree. The config tree expresses everythingCricket needs to know about the types of data to be collected, how to get it, and from which targetsit should collect data. The config tree is designed to minimize redundant information, making itcompact and easy to manage, and preventing silly mistakes from occurring due to copy-and-pasteerrors.

The home page of Cricket can be found at the URL http://cricket.sourceforge.net/.

OpenNMS is an open-source project dedicated to the creation of an enterprise grade network manage-ment platform. The home page of OpenNMS can be found at the URL http://www.opennms.org/.

Zebra is free software (distributed under GNU Generic Public License) that manages TCP/IP basedrouting protocols. The Zebra home page can be found at the URL http://www.zebra.org/.

The MRT project is researching routing software architectures, protocols and tools. The MRT (Multi-threaded Routing) toolkit has been used to build a wide variety of tools, ranging from productionInternet and 6bone routing daemons to BGP fault-injection and traffic generation test packages.MRT software is in active use providing stress testing of commercial routers, collecting and analyzingInternet routing traffic for researchers, and serving as routing software connecting networks to theInternet and the 6Bone.

MRT is no longer actively developed.

The MRT home page can be found at the URL http://merit.edu/mrt/.

GateD routing software is no longer available to the public. See http://www.gated.org for moredetails.

Nessus is a free, powerful, up-to-date and easy to use remote security scanner. A security scanner isa software which will audit remotely a given network and determine whether bad guys may breakinto it, or misuse it in some way.

The Nessus home page can be found at the URL http://www.nessus.org/.

Nmap (Network Mapper) is an open source utility for network exploration or security auditing. It wasdesigned to rapidly scan large networks, although it works fine against single hosts. Nmap uses rawIP packets in novel ways to determine what hosts are available on the network, what services theyare offering, what operating system they are running, what type of packet filters/firewalls are inuse, and dozens of other characteristics. Nmap runs on most types of computers, and both consoleand graphical versions are available. Nmap is free software, available with full source code underthe terms of the GNU GPL.

The Nmap home page can be found at the URL http://www.insecure.org/nmap/.

ntop is a network traffic probe that shows the network usage, similar to what the popular top Unixcommand does. ntop is based on libpcap and it has been written in a portable way in order tovirtually run on every Unix platform and on Win32 as well. ntop comes with two applications: The”classical” ntop that sports an embedded web server, and intop (interactive ntop) which is basicallya network shell based on the ntop engine.

The ntop home page can be found at http://www.ntop.org/.

NTP

SNI PC



4

Edimax (http://www.edimax.com/) manufactures the PS-1000A+ print server.

http://www.netbsd.org/Ports/alpha/ The NetBSD/alpha site provides a lot of good informationon DEC Alpha machines. Chris Demetriou’s Alpha documentation reference list discusses availableDEC Alpha documentation. Very good!

http://ftp.digital.com/pub/DEC/Alpha/firmware/ This site provides Alpha systems firmware up-dates.

ftp://gatekeeper.dec.com/pub/ This is the old public domain software site of DEC. Has still somegood (old) stuff on it.

http://www.compaq.com/alphaserver/workstations/retired/index.html The site provides infor-mation, such as user guides or system specification, regarding retired Alpha workstations. Willprobably not stay around for long now that HP owns Compaq/DEC.

http://www.netbsd.org/Ports/sgimips/faq.html The NetBSD/sgimips site provides a lot of infor-mation regarding NetBSD on SGI machines.

http://futuretech.mirror.vuurwerk.net/sgi.html This site provides a lot of information regardingSGI and Irix, including a network installation guide for Irix.

http://www.reputable.com/indytech.html This site provides a lot of technical information regard-ing SGI Indy.

http://www.sgi.com/ The web site of SGI.


5

2 Network Architecture

2.1 Topology Overview

The network has two main components:

• Office or production network

• Laboratory network

2.2 Design Considerations

The network architecture was designed with the following considerations in mind.

• The office network shall provide basic services (Internet access, printing) using as little equipmentas possible.

• Services and resources of the office network, such as Internet access and printing, shall be availableto the lab network as well.

• Services of the office network must not depend on the lab network or parts of it.

• Key components of the office network shall not be used in labs. Reconfiguration of devices (Internetaccess router) impacting basic services of the office network should be avoided.

• The lab network should be flexible enough to allow setting up a variety of network designs withoutre-cabling the devices.

• The lab network should provide configuration modules/procedures that speed up the process ofgenerating configurations for specific lab set ups.

• The lab network should provide test procedures to validate correct operation of the baseline network.

• The lab network should provide a tool chest for common tasks, such as gathering performance data,in various experiments.

2.3 Design Constraints

• Lack of time.

• Lack of money.2

• Lack of space.

Leading to lack of flash memory in my routers.2


Network Architecture Design Constraints

6

$Id:

sta

tic-la

b-2-

offic

e.gr

affle

,v 1

.3 2

002/

08/1

2 15

:24:

36 m

arku

s Ex

p $

Stat

ic La

b - I

nter

facin

g be

twee

n La

bora

tory

and

Pro

duct

ion

Netw

ork

http://www.brest-lab.netIn

tern

etc1

603

Zer

ber

us

iBo

ok

Fruc

htzw

erg

DE

C A

lpha

Anc

hor

Air

one

t 35

0Ti

gere

nte

.2

.1

c250

1E

dge

1c2

501

Cor

e2c2

501

Cor

e1c2

501

Cor

e3c2

503

Ed

ge2

Frame Relay

Frame Relay

Frame Relay

Frame Relay

.254

c450

0MP

agen

t

Pro

duc

tio

nN

etw

ork

Lab

ora

tory

Net

wo

rk

IP 1

72.1

6.25

4.0/

24

Ethe

rnet

Ethe

rnet

i386

Ed

ge3

Figure 2.1 Network Architecture


7

3 Office Network

3.1 Physical Design

The office network is designed around a 10 MBit/sec Ethernet hub. This are the main components ofthe network:

Zerberus is a Cisco 1603 router providing Internet connectivity and DHCP service.

Radio is a Cisco Access Point 350 providing wireless access to the office network.

Fruchtzwerg is a beautiful Apple iBook used as workstation.

Printer is a HP Deskjet 520 printer attached to the Ethernet hub using an Edimax PS-1000A+ printserver.

Anchor is a DEC Alpha Station 200 4/233 providing services such as DNS, NTP, and SYSLOG.Anchor is basically a lab box and not required for operation of the office network. Zerberus providesT-Online name server addresses to DHCP clients. DNS service on node Anchor is limited to the labnetwork.

Max is a Xyplex MaxServer 1600 terminal server attached to the Ethernet hub providing access to theconsole ports of lab devices. It is not required for operation of the office network.

Name Vendor Model OS Memory Hard Disk NIC

Zerberus Cisco 1603 IOS 12.2(8)T5 10 MB DRAM none Ethernet0

IP+ feature set 16 MB Flash BRI0

Anchor DEC Alpha Station NetBSD 1.6 128 MB 9 GB tlp0

200 4/233 ep0

Fruchtzwerg Apple iBook MacOS 10.1.5 256 MB 18 GB en0

CD-RW en1

Radio Cisco AP 350 AP 11.21 fec0

awc0

Max Xyplex MaxServer 1600 ? ? none Ethernet0

16 async

Printer Edimax PS-1000A+ v9.6 none 10BaseT

Table 3.1 Office Network - Inventory


Office Network Logical Design

8

3.2 Logical Design

The office network uses the IPv4 protocol3 with addresses from the RFC 1918 address space 172.16.254.0/24.

Router Zerberus has a default route pointing to its Dialer1 interface. Hosts in the office network havea default route pointing to the Ethernet interface (172.16.254.1) of router Zerberus.

The laboratory network can be connected to an Ethernet port of the office network. Router Zerberus hasstatic routes (192.168.0.0/16, 172.16.0.0/16, 10.0.0.0/8) to the laboratory network configured. Thenext hop interface of the routes is 172.16.254.254. The laboratory router connecting to the productionnetwork has this address configured on its Ethernet interface. It has a default route configured pointingto 172.16.254.1. This default route can be propagated to other routers in the laboratory network.

Host Anchor can be connected to the laboratory network using a free LAN card.

Name Interface IP Address Remark

Zerberus Ethernet0 172.16.254.1 Internet router

Zerberus Dialer1 negotiated Internet via T-Online

Anchor tlp0 172.16.254.2 Server

Anchor ep0 DHCP Interface to lab network

172.16.254.3 unassigned

Printer Ethernet 172.16.254.4 Print Server

Max Ethernet 172.16.254.5 Console server for lab routers

Radio fec0 172.16.254.6 Access point Ethernet

Radio awc0 172.16.254.6 Access point radio





172.16.254.11 Begin of DHCP pool served by Zerberus

. . .

172.16.254.254 Interface to the lab network

Table 3.2 Office Network - IP Address Assignment

3.3 Network Services

3.3.1 Internet Access

Router Zerberus provides Internet access to the office and lab network.

TODO: NAT, dialer list, etc.

Zerberus and Anchor run IPv6-enabled software.3


Office Network Network Services

9

3.3.2 DHCP

Router Zerberus provides DHCP service for the office network. It provides a requesting node withIP address, default gateway (172.16.254.1), name server (194.25.2.133, 194.25.2.132, 194.25.2.131,194.125.2.130), and domain name (brest-lab.net) information.

3.3.3 DNS

Node Anchor provides DNS service to the lab network. Please refer to page 27 for a detailed descriptionof the service implementation.

3.3.4 TFTP

Node Anchor provides TFTP boot service. A boot image for the Xyplex terminal server resides in thedirectory /tftpboot/xyplex. Boot images for SGI Indy resides in the directory /tftpboot/netbsd.

Please refer to page 27 for a detailed description of the service implementation.

3.3.5 Printing

Anchor Node Anchor uses CUPS (http://www.cups.org/) as printing system. Please refer to page 27for a detailed description of the implementation.

Fruchtzwerg Printing to the network attached HP Deskjet is configured according to ”BalthisarsGuide to Non-Supported Mac OS X Printing” (http://www.balthisar.com/printing/).

3.3.6 X11

Anchor Despite the fact that node Anchor is a head-less workstation4 it does have the X11 systeminstalled. Since it does not have a graphics controller or monitor no fancy X11 server configurationis required.

Fruchtzwerg Node Fruchtzwerg has the XDarwin X11 server (http://www.xdarwin.org/) and theOroborOSX window manager (http://wrench.et.ic.ac.uk/adrian/) installed. X11 clients on nodeAnchor can display using the X11 server hosted on node Fruchtzwerg.

”Head-less” means it does not have a graphics controller or monitor attached to it. The machine uses a serial console4

device.



10

$Id: office-physical-topology.graffle,v 1.5 2002/10/09 15:54:54 markus Exp $

Office Network - Physical Design

http

://ww

w.br

est-l

ab.n

et

Cisco 1603Zerberus

IOS-Firewall

Dia1

Eth0

IP: negotiated

IP: 172.16.254.1/24

LaboratoryNetwork

IP: 10.0.0.0/8IP: 172.16.0.0/16IP: 192.168.0.0/16

IP: 0.0.0.0/0

8-port Ethernet Hub

DEC AS200Anchor

NetBSD-Core

tlp0

ep0

IP: 172.16.254.2/24

IP: 172.16.254.6/24

Cisco AP 350Radio

AP S/W 11.21

fec0

awc0

IP: DHCP

InternetT-Online

XyplexMaxServer 1600

Maxv7.?

Eth0

IP: 172.16.254.4/24

HP Deskjet 520Printer

Print Server

IP: 172.16.254.5/24

Apple iBookFruchtzwerg

MacOS X 10.1.5

en1

en0

IP: 1

72.1

6.25

4.25

4/24

IP: DHCP

IP: 172.16.254.6/24

Figure 3.1 Office Network - Physical Design



11

$Id: office-logical-design.graffle,v 1.2 2002/08/13 13:26:59 markus Exp $

Office Network - Logical Design

http

://ww

w.br

est-l

ab.n

et

Lab NetworkIP: 10.0.0.0/8

IP: 172.16.0.0/16IP: 192.168.0.0/16

Internet

Zerberus

172.16.254.1

IP negotiated

Lab Router

172.16.254.254

Lab IP address

DHCPClient

Anchor

IP DHCP

172.

16.2

54.2

0.0.0.0/0

0.0.0.0/0 0.0.0.0/0

10.0.0.0/8172.16.0.0/16

192.168.0.0/16

Static Route

Office NetworkIP: 172.16.254.0/24

NATDHCP server

Name server

Figure 3.2 Office Network - Logical Design


12

4 Lab Network

4.1 Physical Design

The static lab network consists mainly of five Cisco 2500 series routers. The routers are daisy-chainedvia their serial interfaces using back-to-back cables. Core routers act as Frame Relay switches thusproviding the capability to implement a variety of different logical topologies. Per convention interfaceSerial0 will always provide clocking. A diagram of the physical design can be found on page 22.

This are the main components of the static lab network:

Core1 is a Cisco 2501 router running IOS-MPLS software.



Core4 is a i386 PC running NetBSD-MPLS software.

Edge1 is a Cisco 2501 router running IOS-Edge software.

Edge2 is a Cisco 2503 router running IOS-Edge software.

Anchor is a DEC Alpha Station 200 running NetBSD-Core software.

In basic configuration Anchor serves as IPv4 host. It provides ftp, tftp and syslog services forlab routers. It participates in NTP peering with all lab routers and node Dinghy. Anchor alsoparticipates in OSPF routing. Configuration files for basic operation can be found on page 73.

With additional IPv6 configuration Anchor serves as IPv6 hub router. Configuration files for IPv6operation can be found on page 78.

Dinghy is a SGI Indy running NetBSD-Core software.

In basic configuration Dinghy serves as IPv4 host. It provides ftp, tftp and syslog services for labrouters. It participates in NTP peering with all lab routers and NTP server Anchor. Dinghy alsoparticipates in OSPF routing. Configuration files for basic operation can be found on page 74.

With additional IPv6 configuration Dinghy serves as IPv6 hub router. Configuration files for IPv6operation can be found on page 84.

Pagent is a Cisco 4500m router running IOS-Pagent.


Lab Network Physical Design

13

4.1.1 Software

The following software versions are used in the lab.

IOS-MPLS

Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-P-L), Experimental Version 12.0(20011017:155337) [rraszuk-New_reorg_oct17 109]Copyright (c) 1986-2001 by cisco Systems, Inc.Compiled Sat 20-Oct-01 04:12 by rraszuk

NetBSD-MPLS

NetBSD 1.5.2/i386

AYAME 0.3Zebra-AYAME 0.93b

IOS-Edge

Cisco Internetwork Operating System SoftwareIOS (tm) 2500 Software (C2500-IS-L), Version 12.2(11)T, RELEASE SOFTWARE (fc1)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2002 by cisco Systems, Inc.Compiled Thu 01-Aug-02 18:38 by ccai

NetBSD-Core

NetBSD 1.6/alphaNetBSD 1.6/sgimips

Zebra 0.93bGateD 3.6/public

IOS-Pagent

Cisco Internetwork Operating System SoftwareIOS (tm) 4500 Software (C4500-TSPGEN-M), Experimental Version 12.2(20020815:031451) [nkalyan-build 126]Copyright (c) 1986-2002 by cisco Systems, Inc.Compiled Thu 15-Aug-02 03:22 by nkalyan

Pagent version 3.7.0

Configuration Files

Configuration files are subject to version control. The files are stored in RCS.



14

In case of a Cisco router the following convention will be used. Revision information will be put into thedescription of a routers loopback interface. This way version information can be retrieved easily froma running router. Since a routers configuration can be composed from multiple modules5 a number ofloopback interfaces are used.

The following mapping will be used for the static lab:

• Loopback 0 = Version number of a routers basic IPv4 configuration

• Loopback 1 = Version number of module for common configuration commands

• Loopback 2 = Version number of module RADIUS authentication

• Loopback 3 = Version number of module TACACS authentication

• Loopback 10 = Version number of a routers basic MPLS configuration

• Loopback 11 = Version number of a routers MPLS VPN configuration

• Loopback 20 = Version number of a routers basic IPv6 configuration

On a running router version information can be retrieved by looking at the configuration file:

Core1#write terminal<snip>interface Loopback0description $Id: core1-confg,v 1.3 2002/10/19 15:49:11 markus Exp $ip address 172.16.0.1 255.255.255.255no ip directed-broadcast!interface Loopback1description $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $no ip addressno ip directed-broadcast!interface Loopback10description $Id: core1-mpls-confg,v 1.3 2002/10/24 14:26:21 markus Exp $no ip addressno ip directed-broadcast<snip>

Another way of retrieving version information is looking at the interface description:

Core3#show interfaces loopback 0 descriptionInterface Status Protocol DescriptionLo0 up up $Id: core3-confg,v 1.3 2002/10/12 14:30:02 markus Exp $Core3#show interfaces loopback 1 descriptionInterface Status Protocol DescriptionLo1 up up $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $Core3#show interfaces loopback 10 descriptionInterface Status Protocol DescriptionLo10 up up $Id: core3-mpls-confg,v 1.3 2002/10/24 14:26:34 markus Exp $Core3#

Some modules are generic while others are specifically for a router.5



15

4.1.2 Hardware

Name Vendor Model OS Memory Hard Disk NIC

Core1 Cisco 2501 IOS-MPLS 16 MB DRAM none Ethernet0

8 MB Flash Serial0

Serial1


8 MB Flash Serial0

Serial1


8 MB Flash Serial0

Serial1

Core4 SNI Pro C5 NetBSD-MPLS 48 MB DRAM 4 GB rtk0

4 GB rtk1

ne2

Edge1 Cisco 2501 IOS-Edge 16 MB DRAM none Ethernet0

16 MB Flash Serial0

Serial1

Edge2 Cisco 2503 IOS-Edge 16 MB DRAM none Ethernet0

16 MB Flash Serial0

Serial1

BRI0

Cisco Pix 501 PIX 6.1(2) 16 MB DRAM none Ethernet0

Ethernet1

Anchor DEC Alpha Station 200 NetBSD-Core 128 MB DRAM 9 GB tlp0

CD-ROM ep0

Dinghy SGI Indy NetBSD-Core 64 MB DRAM 2 GB sq0

Pagent Cisco 4500m IOS-Pagent 32 MB DRAM none Ethernet0

16 MB Flash Ethernet1

8 MB Bootflash Serial0

Serial1

BRI0

BRI1

BRI2

BRI3

Table 4.1 Lab Network - Inventory


Lab Network Logical Design

16

4.2 Logical Design

The static laboratory network uses IPv4 addresses from the RFC 1918 address space.

The static lab uses OSPF as routing protocol for IPv4. All interfaces are in area 0 except the Ethernetinterfaces of edge routers, which are each in its own area.

Zebra OSPFd

Zebra was compiled with the options --enable-snmp, --enable-tcp-zebra, --enable-nssa, --enable-opaque-lsa, --enable-ospf-te, and --enable-multipath=4.

Please note that Zebras OSPF daemon on a NetBSD system requires static routes for the multicastaddresses 224.0.0.5 and 224.0.0.6 in order to establish adjacency with peer routers.



17

Name Interface IP Address Remark

Core1 Loopback0 172.16.0.1/32

Serial0.100 ip unnumbered loopback0 PVC to Core2 (Trunk)


Serial0.200 ip unnumbered loopback0 PVC to Edge1 (Access)

Ethernet0 172.16.255.1/24 Trunk link to Core4, Dinghy






Ethernet0 172.16.254.254/24 Office LAN, Trunk link to Anchor





Ethernet0 172.16.3.1/30 Trunk link to Core4

Core4 rtk0 172.16.3.2/30 Access link to Core2

rtk1 172.16.3.6/30 Access link to Core3

ne2 10.3.1.1/24 Core4 LAN

Edge1 Loopback0 172.16.0.11/32

Serial1.100 ip unnumbered loopback0 PVC to Core2 (Access)


Ethernet0 10.1.1.1/24 Edge1 LAN

Edge2 Loopback0 172.16.0.12/32



Ethernet0 10.2.1.1/24 Edge2 LAN

Pagent Loopback0

Ethernet0 172.16.255.254/24 Core1, Core4, Dinghy

Ethernet1 10.3.1.254/24 Core4

Table 4.2 Lab Network - IP Address Assignment



18

4.2.1 MPLS

Unsupported MPLS images on c2500; AYAME code on NetBSD box;

TODO: config principle and examples



19

4.2.2 IPv6

The IPv6 network shall provide robust IPv6 transport service for whole networks. Solutions targetingindividual host systems or infrequently communicating systems, such as tunnel broker or automatictunnels, are not being implemented.

Topology

The IPv6 overlay network uses a partly-meshed, hierarchical design. Hierarchical network designseparates a topology into discrete layers with each layer focusing on a specific set of functions. Typicallayers found in hierarchical networks are core layer, distribution layer, and access layer. The lab networksuses a two layer hierarchy. All edge routers are connected to two IPv6 core routers (Anchor and Dinghy).

Figure 4.3 on page 24 shows an overview of the network.

Physical Design

The IPv6 test network uses Cisco routers and routers based on NetBSD and Zebra software.

Today Cisco has probably the most comprehensive IPv6 solution. Since Cisco routers are widely deployedit can be assumed that they will play a dominant role in future IPv6 networks as well.

Zebra (http://www.zebra.org) is the only routing software that is freely available today and activelydeveloped. GateD routing software (http://www.gated.org) is no longer available to the public andit does not support IPv6. MRT routing software (http://www.merit.edu/mrt) does support IPv6 butis no longer actively developed. Therefore Zebra routing software is used in the IPv6 test network.NetBSD (http://www.netbsd.org) was chosen as platform because it includes the IPv6 implementationof the KAME project (http://www.kame.net) in its default distribution.

A mixture of both tunneling6 and IPv6-enabled data links are used to create the network.

The following routers are used in the IPv6 network:

• Core routers:

− Anchor

− Dinghy

• Edge routers:

− Edge1

− Edge2

− Core4 (IPv4 core router)

Addressing

The laboratory network uses IPv6 addresses from the “site local” address space. Site local addressesare functionally equivalent to RFC 1918 addresses in the IPv4 world.

Tunneling is encapsulation of IPv6 packets in IPv4 packets so that they can be transported over IPv4-only networks.6



20

Tunnels are configured with “link local” addresses. Global IPv6 addresses are not configured on point-to-point links because we want to minimize the configuration.7 On Cisco routers tunnel interfaces areconfigured with ip unnumbered loopback 0 to allow IPv6 ping from a router.

Routing

A dynamic routing protocol is used to propagate IPv6 routing information. An architecture based entirelyon static routing is only appropriate for small networks that change infrequently. However, static routesare used for special cases, such as loopback interfaces of next-hop routers, or stub networks connectedvia a single link.

Cisco IOS software supports static routing, RIP, ISIS and multi-protocol BGP (MP-BGP) for IPv6routing.

Zebra routing software supports static routing, RIP, OSPF and multi-protocol BGP for IPv6 routing.8

RIP is the only IGP (Interior Gateway Protocol) Cisco IOS and Zebra routing software have in common.Since RIP is not suitable for use in wide area networks the only dynamic IPv6 routing protocol availableis multi-protocol BGP. Therefore the IPv6 network uses multi-protocol BGP for propagation of IPv6routing information. Private AS 65000 is used for iBGP.

Multi-protocol BGP routes will be redistributed into RIP at the edge and advertised to local areanetworks by RIP. IPv6 routes are not learned via RIP and RIP derived routes are not redistributed intoMP-BGP.

IPv6 routers in the lab use internal BGP (iBGP) to exchange routing information. iBGP requires afull-mesh between all iBGP speakers, which limits network scalability (n2 problem). A solution is usingroute reflectors for iBGP peering. Route reflectors can be either in the forwarding path or dedicatedmachines. At least two route reflectors are recommended for redundancy purposes.

Router Anchor and Dinghy are used as route reflectors for iBGP. All BGP-speaking edge routers (Edge1,Edge2) peer with both route reflectors.

Since IPv6 edge router Core4 shares an Ethernet with router Dinghy, RIPv6 is used between theminstead of iBGP. Please note that Dinghy does not learn IPv6 networks offered by Core4 via RIP. Staticroutes towards this networks are defined on Dinghy and redistributed into BGP. That way the otherrouters (Anchor, Edge1, Edge2) learn the networks attached to Core4. On Dinghy BGP derived routesare redistributed into RIP and thus made available to router Core4.

Figure 4.4 on page 25 shows an overview of the routing architecture.

Please bear in mind the following:

• Use redistribute static on route reflectors to propagate next-hop address of directly attachededge router to other edge routers.

• Do not use peer groups on route reflectors for route reflector clients.9

• Use either distance or distribute-list in to prevent learning of routes via RIP.

Remember that the lab shall provide a quick way to build specific test environments. Adding IPv6 addresses to unnumbered7

links is easier then removing old addresses prior to adding new ones. The same reason dictates use of ip unnumbered onIPv4 point-to-point links.There is an ISISd project (http://isisd.sourceforge.net/) which has been started in May 2001. The project aims to8

implement ISIS on the Zebra platform. Currently ISISd is not integrated in Zebra, it is available as patch against Zebrasource code.Stolen from Halabis BGP book: “Route reflectors can be used in conjunction with peer groups only when the clients of9

a route reflector are fully meshed. The reasoning is as follows: in a normal situation, a router A that learns a prefix fromrouter B will send a WITHDRAW message back to that router to poison that route. In other words, router A is tellingB that this prefix is not reachable via A. This is to prevent a situation where A claims that a prefix is reachable via B,



21

Host Access

IPv6 end systems can be configured either manually or automatically. A major benefit of IPv6 is theavailability of address auto-configuration for host systems.

Automatic host configuration for IPv6 can be done in two ways, using either stateless auto-configurationor DHCPv6. Stateless auto-configuration is used in the IPv6 test network because NetBSD does notsupport DHCPv6.

Stateless auto-configuration requires that a router on a connected network emits periodically ICMPv6“router advertisement” messages. These messages contain information such as IPv6 sub-network prefixand default router.

An end system listens to router advertisement messages to get its global IPv6 address and the defaultrouter. Hosts can also trigger router advertisements by sending an ICPMv6 “router solicitation” message.

Stateless auto-configuration is used in the IPv6 lab network.

and B claims it is reachable via A. In a peer group the same UPDATE or WITHDRAW message is sent to all membersof the group. In a peer group/route reflector situation, a route reflector that has learned a prefix from one of its clientsand is trying to poison that route will end up withdrawing that prefix from all the other clients. Because the clients arenot talking to each other via BGP, that prefix will be lost.”



22

c2501Core3

8MB Flash16MB DRAM

c4500mPagent

32MB DRAM16MB Flash

c2501Core2

8MB Flash16MB DRAM

Eth1

SGI IndyDinghy

64MB DRAM2GB HDD

c2503Edge2

16MB Flash16MB DRAM

Ser0

Ser1

c2501Core1

8MB Flash16MB DRAM

Ser1

Ser0

300

300

Ser1

Ser0

100

100

200

200

100

100

$Id: static-lab-physical-design.graffle,v 1.7 2002/10/19 15:53:39 markus Exp $

Static Laboratory Network - Physical Design

http

://ww

w.br

est-l

ab.n

et

c2501Edge1

16MB Flash16 MB DRAM

Ser1

Ser0

Ser1

Ser0

back-to-back cable

back-to-back cable

back-to-back cable

back-to-back cable

FR: DTE

FR: DCE

FR: NNI

FR: NNI

FR: NNI

FR: NNI

FR: DCE

FR: DTE

Phy: DTE

Phy: DCE

Phy: DCE

Phy: DTE

Phy: DCE

Phy: DTE

Phy: DCE

Phy: DTE

DLCI

DLCI

Frame Relay PVC

100

100

100

100

i386Core4

48MB DRAM4GB HDD

rtk0

Eth

0E

th0

Eth0

Eth0

Eth0

ne2

sq0

Eth

0DEC AS200

Anchor128MB DRAM

9GB HDD

tlp0

ep0

400

400

rtk1

Figure 4.1 Lab Network - Physical Design



23

<int

>

<int

>

Area

0

Area

10.

1.1.

0

<int

>Ar

ea 1

0.2.

1.0

<int

>Ar

ea 1

0.3.

1.0

IPv4

: 10.

3.1.

1/24

IPv4

: 10.

1.1.

1/24

IPv4

: 172

.16.

254.

2/24

IPv4

: 10.

2.1.

1/24

IPv4

: 172

.16.

255.

4/24

IPv4

: 172

.16.

255.

1/24

IPv4

: 172

.16.

255.

2/24

IPv4

: 172

.16.

3.2/

30

$Id:

sta

tic-la

b-lo

gica

l-des

ign.

graf

fle,v

1.9

200

2/10

/19

15:5

9:33

mar

kus

Exp

$

Stat

ic La

bora

tory

Net

work

- IP

v4 L

ogica

l Des

ign

http://www.brest-lab.net

c250

1Co

re1

IOS-

MPL

S

c250

1Co

re2

IOS-

MPL

S

c250

1Co

re3

IOS-

MPL

S

c250

1Ed

ge1

IOS-

Edge

c250

3Ed

ge2

IOS-

Edge

i386

Core

4Ne

tBSD

-MPL

S

DEC

AS20

0An

chor

NetB

SD-C

ore

SGI I

ndy

Ding

hyNe

tBSD

-Cor

e

loop

0

tlp0

loop

0

s0.3

00s0

.100

loop

0

loop

0

Fram

e Re

lay

PVC

use

"ip u

nnum

bere

d"

IPv4

: 172

.16.

3.1/

30

IPv4

: 172

.16.

0.1/

32

IPv4

: 172

.16.

0.2/

32

IPv4

: 172

.16.

0.3/

32

IPv4

: 172

.16.

0.11

/32

IPv4

: 172

.16.

254.

254/

24

IPv4

: 172

.16.

0.12

/32

256k

bps

Fram

e Re

lay

10m

bps

Ethe

rnet

64kb

psFr

ame

Rela

y

s0.1

00

eth0

s1.1

00

s1.1

00s0

.100

s1.200

s0.200

s0.100

s1.3

00s1

.100

eth0

eth0

loop

0

ne2

eth0

eth0

s1.1

00

rtk0

sq0

rtk1

s1.4

00

s0.400

Figure 4.2 Lab Network - Logical Design



24

Link

loca

lad

dres

ses

are

used

on

tunn

elin

terfa

ces.

IPv6

: fef

e:d:

:1/6

4

IPv6

: fef

e:e1

::1/6

4IP

v6: f

efe:

e2::1

/64

IPv6

: fef

e:e3

::1/6

4

IPv6

: fef

e::e

1/12

8IP

v6: f

efe:

:e2/

128

IPv6

: fef

e::e

3/12

8

IPv6

: fef

e::d

/128

$Id:

sta

tic-la

b-lo

gica

l-des

ign-

inet

6.gr

affle

,v 1

.10

2002

/10/

24 1

3:16

:41

mar

kus

Exp

$

Stat

ic La

bora

tory

Net

work

- IP

v6 L

ogica

l Des

ign


Core

1

Core

2Co

re3

Edge

1Ed

ge2

Core

4

Anch

orDi

nghy

s0.100

eth0

s1.100

loop

0

s1.1

00s0

.100

s1.200s0.200

s0.1

00s1

.300

s1.1

00

eth0

eth0

lo0

tlp0

loop

0

loop0

ne2

eth0

eth0

s0.3

00s0

.100

s1.1

00

rtk0

loop

0lo

op0

lo0

<int

>

<int

>

<int

>

IPv4

onl

yIP

v4 a

nd IP

v6IP

v6 o

nly

IPv6

: fef

e::a

/128

lo0

IPv6

: fef

e:a:

:1/6

4rtk

1

s1.2

00

s0.2

00

gif3

IPv6

: fef

e:d:

:2/6

4sq

0

tun1

tun0

gif0

gif2gif1gif2

gif1gif0

tun1

tun0

IPv6

: fef

e:bb

:d::1

/126

IPv6

: fef

e:bb

::1/1

26IP

v6: f

efe:

bb::2

/126

Figure 4.3 Lab Network - IPv6 Logical Design



25

redi

strib

ute

IPv6

: fef

e:d:

:2/6

4

stat

eles

s au

to-c

onfig

Host

stat

eles

s au

to-c

onfig

Host

stat

eles

s au

to-c

onfig

Host

redi

strib

ute

redi

strib

ute

IPv6

: fef

e::d

/128

$Id:

sta

tic-la

b-lo

gica

l-des

ign-

inet

6-ro

utin

g.gr

affle

,v 1

.6 2

002/

10/2

1 09

:31:

31 m

arku

s Ex

p $

Stat

ic La

bora

tory

Net

work

- IP

v6 R

outin

g


Edge

2RR

Clie

nt

Ding

hyRo

ute

Refle

ctor

lo0

gif1

gif2

sq0

gif0

eth0

loop

0

tun1

Edge

1RR

Clie

nt eth0

tun1

Core

4 ne2

rtk1

lo0

iBG

P

RIPv

6

iBG

P

Anch

orRo

ute

Refle

ctor

tlp0

lo0

gif1

gif2

gif0

tun0

loop

0

tun0

IPv6

: fef

e:e2

::1/6

4IP

v6: f

efe:

:e2/

128

IPv6

: fef

e:e1

::1/6

4IP

v6: f

efe:

:e1/

128

IPv6

: fef

e:e3

::1/6

4IP

v6: f

efe:

:e3/

128

IPv6

: fef

e:a:

:1/6

4

IPv6

: fef

e::a

/128

iBG

PiB

GP

RIPv

6iB

GP

stat

eles

sau

to-c

onfig

Link

loca

lad

dres

ses

are

used

on

tunn

elin

terfa

ces.

AS 6

5000

is u

sed

for i

BGP.

IPv6

: fef

e:d:

:1/6

4

Figure 4.4 Lab Network - IPv6 Routing



26

IPv4

: 10.

3.1.

1/24

IPv4

: 10.

1.1.

1/24

<int

>

<int

>

MPL

S

IPv4

IPv4

: 172

.16.

254.

2/24

IPv4

: 10.

2.1.

1/24

IPv4

: 172

.16.

255.

4/24

IPv4

: 172

.16.

255.

1/24

IPv4

: 172

.16.

255.

2/24

IPv4

: 172

.16.

3.2/

30

$Id:

sta

tic-la

b-lo

gica

l-des

ign-

mpl

s.gr

affle

,v 1

.1 2

002/

10/1

1 21

:00:

02 m

arku

s Ex

p $

Stat

ic La

bora

tory

Net

work

- M

PLS

Logi

cal D

esig

n


c250

1Co

re1

IOS-

MPL

S

c250

1Co

re2

IOS-

MPL

S

c250

1Co

re3

IOS-

MPL

S

c250

1Ed

ge1

IOS-

Edge

c250

3Ed

ge2

IOS-

Edge

i386

Core

4Ne

tBSD

-MPL

S

DEC

AS20

0An

chor

NetB

SD-C

ore

SGI I

ndy

Ding

hyNe

tBSD

-Cor

e

loop

0

tlp0

loop

0

s0.3

00s0

.100

loop

0

loop

0

Fram

e Re

lay

PVC

use

"ip u

nnum

bere

d"

IPv4

: 172

.16.

3.1/

30

IPv4

: 172

.16.

0.1/

32

IPv4

: 172

.16.

0.2/

32

IPv4

: 172

.16.

0.3/

32

IPv4

: 172

.16.

0.11

/32

IPv4

: 172

.16.

254.

254/

24

IPv4

: 172

.16.

0.12

/32

256k

bps

Fram

e Re

lay

10m

bps

Ethe

rnet

64kb

psFr

ame

Rela

y

s0.1

00

eth0

s1.1

00

s1.1

00s0

.100

s1.200

s0.200

s0.100

s1.3

00s1

.100

eth0

eth0

loop

0

ne2

eth0

eth0

s1.1

00

rtk0

sq0

rtk1

s1.2

00

s0.200

Figure 4.5 Lab Network - MPLS Logical Design


27

5 Network Services

5.1 DNS

Hosts Anchor an Dinghy provide name service for IPv4 and IPv6 systems in the lab network. Bothmachines use DJBDNS instead of BIND. An configuration example can be found in on page 153ff.

5.2 FTP and TFTP

TBD

5.3 Logging

TBD

5.4 NTP

Host Anchor play the role of the labs NTP servers using. All lab routers peer with each other and hostsDinghy and Anchor. Configuration commands can be found pages 54 (router), 73 (Anchor), and 74(Dinghy).

5.5 Printing

TBD

5.6 netdb (http://www.net.cmu.edu/netreg/)

TBD

5.7 VideoLAN (www.videolan.org)

TBD -¿ Probably interesting for multicast labs.

5.8 Kismet (www.kismetwireless.net)


Network Services Network Verification Toolkit

28

TBD

5.9 Network Verification Toolkit

The following sections describe tools that can be used to verify correct operation of lab networks.

5.9.1 Some Tools that come with IOS

Service Assurance Agent

Service Assurance Agent (SAA) is a new name for the Response Time Reporter (RTR) feature that wasintroduced in Cisco IOS release 11.2. The feature allows monitoring network performance by measuringkey Service Level Agreement (SLA) metrics such as response time, network resources, availability, jitter,connect time, packet loss and application performance.

The following example shows an implementation of ping probes on a router. No configuration is requiredon the remote routers.

LER12#wr tBuilding configuration...

<snip>

rtr 11type echo protocol ipIcmpEcho 172.16.0.11rtr schedule 11 life forever start-time now!rtr 12type echo protocol ipIcmpEcho 172.16.0.12rtr schedule 12 life forever start-time now!rtr 13type echo protocol ipIcmpEcho 172.16.0.13rtr schedule 13 life forever start-time now!rtr 14type echo protocol ipIcmpEcho 172.16.0.14rtr schedule 14 life forever start-time now

<snip>

The following output shows maximum (TMax) and minimum (TMin) round-trip times.

LER12#sho rtr distributions-statisticsCaptured Statistics

Entry = Entry NumberStartT = Start Time of Entry (hundredths of seconds)Pth = Path Index



29

Hop = Hop in Path IndexDst = Time Distribution IndexComps = Operations CompletedOvrTh = Operations Completed Over ThresholdsSumCmp = Sum of Completion Times (milliseconds)SumCmp2L = Sum of Completion Times Squared Low 32 Bits (milliseconds)SumCmp2H = Sum of Completion Times Squared High 32 Bits (milliseconds)TMax = Completion Time Maximum (milliseconds)TMin = Completion Time Minimum (milliseconds)

Entry StartT Pth Hop Dst Comps OvrTh SumCmp SumCmp2L SumCmp2H TMax TMin11 2822284 1 1 1 60 0 668 8580 0 24 112 2819228 1 1 1 61 0 1268 28944 0 52 813 2819415 1 1 1 60 0 603 8523 0 32 114 2819590 1 1 1 61 0 719 11559 0 36 1

LER12#

Configuring a jitter probe is a bit more complex. A probe must be configured locally and a respondermust be configured on the remote router.

Configuration of the jitter probe on router A.

rtr 11type jitter dest-ipaddr 172.16.0.11 dest-port 2011 num-packets 20 interval 300rtr schedule 11 life forever start-time now

Configuration of the responder on router B.

rtr responder

Traffic Matrix Statistics

Traffic matrix statistics (TMS) is an IOS feature that enables capturing and analyzing traffic dataentering a backbone. By enabling a backbone router to gather traffic matrix statistics, you can determinethe amount of traffic that enters the backbone from sites outside of the backbone. You can alsodetermine the amount of traffic that is generated within the backbone. The traffic matrix statisticshelp you optimize and manage traffic across the backbone.

You can determine the amount of traffic the backbone handles by enabling a backbone router to trackthe number of packets and bytes that travel through it. You can separate the traffic into the categories“internal” (within scope of interest) and “external” (outside scope of interest). You separate the trafficby designating incoming interfaces on the backbone router as internal or external.

TMS data is counted during packet forwarding by CEF nonrecursive accounting, which is configured asdescribed below.

• Enable CEF on the router.

• Enable non-recursive accounting on the router.

• Set incoming interfaces to collect internal or external traffic. By default all interfaces are set asinternal.



30

A minimum TMS configuration looks like this:

ip cefip cef accounting non-recursive!interface Multilink1ip cef accounting non-recursive external

You can access traffic matrix data either by using CLI or by reading the virtual files residing on therouter.

LER12#show ip cef 10.25.0.010.25.0.0/24, version 71, per-destination sharing0 packets, 0 bytestag information setlocal tag: 39

via 172.16.0.3, Serial3/0, 0 dependenciesnext hop 172.16.0.3, Serial3/0valid adjacencytag rewrite with Se3/0, point2point, tags imposed: {29}

218016 packets, 153301502 bytes switched through the prefixtmstats: external 0 packets, 0 bytes

internal 218016 packets, 153301502 bytes30 second output rate 46 Kbits/sec

LER12#

TMS data is stored in two files, tmstats_ascii (human readable format) and tmstats_binary (binaryformat).

LER12#dir system:/vfilesDirectory of system:/vfiles/

11 -r-- 0 <no date> tmasinfo9 -r-- 0 <no date> tmstats_ascii

10 -r-- 0 <no date> tmstats_binary

No space information availableLER12#more system:/vfiles/tmstats_asciiVERSION 1|ADDR 172.16.0.12|AGGREGATION TrafficMatrix.ascii|SYSUPTIME 39659|routerUTC 3246068423|NTP synchronized|DURATION 0|p|172.16.1.23/32|9384|418|29163|0|0p|172.16.254.0/24|9384|0|0|0|0p|172.16.254.11/32|9384|0|0|0|0p|172.16.254.100/32|9384|5040|254024|0|0<snip>

You can export TMS data from a router using the copy command.

LER12#copy system:/vfiles/tmstats_ascii ?ftp: Copy to ftp: file systemnull: Copy to null: file systemnvram: Copy to nvram: file systemrcp: Copy to rcp: file system



31

running-config Update (merge with) current system configurationstartup-config Copy to startup configurationsystem: Copy to system: file systemtftp: Copy to tftp: file system



32

5.9.2 Pagent

TODO: LNE templates for OSPF, BGP, and TGN

Pagent is a set of test tools, based on the Cisco IOS (Internetwork Operating System), and developedwithin Cisco. The test tools are included in special IOS Pagent images. The primary function of thePagent tool set is to provide cost effective test tools to the Cisco community.

Since the tools are based on production hardware and the IOS operating system, the tools are not ableto test the datalink level. They cannot affect frame checksums, preambles, inter frame gap times, orinject hardware failures.

There are limitations to the rates that Pagent tools can transmit and receive packets. Due to theprocessing power of the main CPU, not all IOS based devices are able to transmit packets at full mediarates.

The Pagent programs are best used for testing layer 3 protocols and above. That is, emulating routingprotocols, multicast, TCP sessions, HTTP sessions.

Pagent images have a security scheme to prevent illegal distribution outside Cisco. When an router isloaded with a Pagent image for the first time, it presents a machine Id that must be converted to alicense key. Once the license key is entered in the router, it is saved in the configuration so it is notrequired on subsequent downloads.

Pagent tools include:

• TGN (Traffic Generator) is used to define and send packets on any combination of supportedinterfaces on a router. The program has predefined templates to support the definition of specificpacket types. Packet lengths and the data in any header field can be set to constant, incrementingor random values. Packet definitions can be imported from the PKTS program capture buffer.

• PKTS (Packet Count and Capture) can capture and display incoming and/or outgoing packets fromany combination of interfaces on a router. It can fast-count packets, that is, it can count and discardpackets at higher rates than IOS counters can support. PKTS supports the creation of filters thatallow selective counting, capture or display

• Template Compiler provides a convenient high-level language for defining packet formats. It addsnew packet definitions to the Pagent tool set (TGN and PKTS) at run time and allows TGN trafficstreams and PKTS filters to be defined using the new formats. It allows the definition of multipledisplay methods that can be used to decode and display packets.

• Router Verified Traffic (RVT) and Control Verified Traffic (CVT) are used together to test bridgesand routers. CVT can automatically create numerous traffic streams between many Pagent routerinterfaces, for many different LAN media and network protocols. RVT can create modest levels ofverified traffic where every packet sent through the test network is validated for correct sequence,data integrity, and length. RVT can also create fast-unverified traffic.

• PMOD (Passthru Modify) allows a Pagent router to be inserted into a test network so test trafficpasses through the router and then allows the traffic packets to be modified. Depending on PMODfilters and configurations, the tool can selectively drop, alter, delay or timestamp packets. It alsoallows test packets to act as triggers and can recalculate test packet IP, TCP and UDP checksums.

• TCP Session Emulator (TCPSE) is a tool for generating TCP traffic. The tool provides configurablefeatures that enable a user to emulate various TCP application dialogs between a TCP client and a



33

TCP server. It emulates multiple hosts establishing thousands of TCP connections. All these TCPsessions are short-lived, which is very typical for web or email traffic.

• HTTP Session Emulator (HTTPSE) is a tool for generating HTTP traffic. It emulates multipleHTTP clients establishing HTTP connections to a HTTP server. It generates all kinds of HTTPtraffic, including all kinds of HTTP requests and HTTP responses.

• FTP Session Emulator (FTPSE) is a TCP application for transferring files. The FTPSE ClientEmulator generates real FTP traffic and emulates FTP client sessions, which must talk to a realFTP server. Currently FTPSE only supports the client side in passive mode.

• Large Network Emulators (LNE) is comprised of six programs to support six routing protocols:BGP, OSPF, ISIS, EIGPR, IGRP and RIP. LNE is used to emulate routers that advertise large routernetworks. It can emulate hundreds of routers to emulate multiple peers to a router under test. Tostress the router under test, LNE can flap entire LNE routers, routes advertised by the LNE routersor route attributes.

LNE BGP

The following is a simple example of a BGP configuration on a Cisco router in a test network.

interface ethernet 0ip address 173.200.14.10 255.255.255.0router bgp 100

network 173.200.0.0neighbor 173.200.14.101 remote-as 101

The BGP process configuration on the Pagent router has to complement the IP addresses and autonomoussystem numbers configured on the router under test. The following commands will:

• Assign an IP address to the BGP process

• Identify the IP address of the destination router

• Assign an autonomous system number to the BGP process

• Identify the autonomous system number of the remote or destination router

• Add a group of networks to advertise

By default, a group advertises 100 networks or routes to networks. For this example, The value will belowered to 10 networks. These are the commands used to create and configure this BGP process:

c4700-pagent#lne bgpc4700-p(BGP:OFF,Et0:none)#ethernet1c4700-p(BGP:OFF,Et1:none)#add bgpc4700-p(BGP:OFF,Et1:1)#ip source 173.200.14.101c4700-p(BGP:OFF,Et1:1)#ip destination 173.200.14.10c4700-p(BGP:OFF,Et1:1)#autonomous-system 101c4700-p(BGP:OFF,Et1:1)#remote-as 100c4700-p(BGP:OFF,Et1:1)#add groupc4700-p(BGP:OFF,Et1:1-Grp1)#advert 10



34

This results in the following configuration:

c4700-p(BGP:OFF,Et1:1-Grp1)#shBGP Process 1 of 1 with 1 group(s) advertising 10 networksname ""ondatalink lne-definedip source 173.200.14.101ip destination 173.200.14.10autonomous-system 101remote-as 100!random-as-range 200 to 65535disallow duplicate-as ondisallow own-as on!router-flap offrouter-flap duration on 600 to 1200 secondsrouter-flap duration off 300 to 600 secondsverbose onflapping onheader-definition off!group 1group name ""advertise 10 networksnetwork start 34.1.1.0network subnetmask 255.255.255.0network per-nlri 10next-hop ip-sourceorigin EGP Flap offAS_SEQ 3 to 7 Flap offAS_SET 0 to 3 Flap offMED 1000 to 3000 Flap offPref 10000 to 100000 Flap offwithdraw Flap offdefine AS_SEQ offdefine AS_SET offatomic-aggregate offaggregator offcommunity attribute offoriginator-id offcluster-list attribute offfreeform attribute off

With the verbose on command, the process posts activity messages when BGP packets are sent orreceived. When this LNE BGP configuration is started, the following appears on the console:

c4700-p(BGP:OFF,Et1:1-Grp1)#start- ON: BGP Processes Started.



35

c4700-p(BGP:ON,Et1:1-Grp1)#BGP 173.200.14.101: Starting process #1 on Ethernet1.BGP 173.200.14.101: Send Arp Request.BGP 173.200.14.101: Send TCP SYN.BGP 173.200.14.101: Send TCP SYN.BGP 173.200.14.101: Send BGP Open.BGP 173.200.14.101: Recv BGP Open from 173.200.14.10BGP 173.200.14.101: Send Group 1 Updates.BGP 173.200.14.101: Recv BGP Update from 173.200.14.10

If you enter the command show ip route bgp at the console of the router under test, you should see the10 routes or subnets that were advertised by the LNE BGP process. For example:

Edge1#show ip route bgp34.0.0.0/24 is subnetted, 10 subnets

B 34.1.3.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.2.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.1.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.7.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.6.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.5.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.4.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.10.0 [20/2311] via 173.200.14.101, 00:00:03B 34.1.9.0 [20/2311] via 173.200.14.101, 00:00:04B 34.1.8.0 [20/2311] via 173.200.14.101, 00:00:04Edge1#

These are the console messages when the program is stopped:

c4700-p(BGP:ON,Et1:1-Grp1)#stop--- Please wait until all BGP TCP circuits are closed.BGP 173.200.14.101: Send TCP FIN #1.BGP 173.200.14.101: Recv TCP Close from 173.200.14.10

- OFF: BGP Processes Stopped.c4700-p(BGP:OFF,Et1:1-Grp1)#

LNE OSPF

The following is a simple example of an OSPF configuration on a Cisco router in a test network. SettingSPF (shortest path first) timers to stress test the router under test is optional.

interface Ethernet2ip address 192.21.2.2 255.255.255.0no shutdown

!router ospf 700

timers spf 0 0network 192.21.2.0 0.0.0.255 area 0

The OSPF process configuration on the Pagent router must complement the IP addresses configuredon the router under test. The following commands will:



36

• Select the LNE OSPF program command prompt

• Select the Ethernet2 interface

• Create an OSPF EASY process

• Assign an IP address to the process that is in the same subnet as the interface of the RUT

• Configure the OSPF process to advertise 20 networks

• Turn on basic program messages

These are the commands used to create and configure the OSPF process:

a4700a-pagent#lne ospfa4700a-(OSPF:OFF,Et0:none)#et2a4700a-(OSPF:OFF,Et2:none)#add ez-ospfa4700a-(OSPF:OFF,Et2:1/1)#ip source 192.21.2.5a4700a-(OSPF:OFF,Et2:1/1)#advertise 20a4700a-(OSPF:OFF,Et2:1/1)#verb ona4700a-(OSPF:OFF,Et2:1/1)#

This results in the following configuration:

a4700a-(OSPF:OFF,Et2:1/1)#shoOSPF Process 1 of 1! This is an OSPF-EASY process!name ""on!datalink lne-definedip source 192.21.2.5id 1.1.1.1subnet-mask 255.255.255.0area 0.0.0.0!hello-interval 10dead-interval 40network-type broadcast!advertise 20network start 193.0.0.0network subnetmask 255.255.255.0!interface-metric 10 to 10cluster-link-type broadcastauthentication offtraffic-eng off!summary-links quantity 0!



37

external-links quantity 0!nssa-links quantity 0!withdraw-flap offwithdraw-flap 1 2link-flap offlink-flap 0 2!convergence-test offconvergence-test destination 0.0.0.0convergence-test packet-interval 10convergence-test delay-next 1convergence-test verbose off!verify-test offverify-test current-tableverify-test batch-size 100verify-test batch-interval 100verify-test max-timeout 60verify-test verbose off!router-flap offrouter-flap duration on 600 to 1200 secondsrouter-flap duration off 300 to 600 secondsupdate rate 50 ppsupdate interval 1800 secondsverbose onheader-definition off

With the verbose on command, the process posts activity messages when OSPF packets are sent orreceived. When this LNE OSPF configuration is started, the following appears on the console:

a4700a-(OSPF:OFF,Et2:1/1)#start*** OSPF 192.21.2.5 now looking for designated routers.

- ON: OSPF Processes Started.a4700a-(OSPF:ON,Et2:1/1)#OSPF Found Designated Router 192.21.2.2, ID 192.21.0.2 on Ethernet2.OSPF 192.21.2.5 Starting.OSPF 192.21.2.5 send OSPF Database Description, Router:0.OSPF 192.21.2.5 send OSPF Database Description, Router:1.OSPF 192.21.2.5 send OSPF Database Description, Router:2.OSPF 192.21.2.5 send OSPF Database Description, Router:3.OSPF 192.21.2.5 send OSPF Database Description, Router:4.OSPF 192.21.2.5 send OSPF Database Description, Router:5.OSPF 192.21.2.5 send OSPF Database Description, Router:6.OSPF 192.21.2.5 send OSPF Database Description, Router:7.OSPF 192.21.2.5 send OSPF Database Description, Router:8.OSPF 192.21.2.5 database exchange complete

a4700a-(OSPF:ON,Et2:1/1)#



38

On the console of the router under test you should see an OSPF adjacency change message. If youenter the command show ip ospf neighbor at the router, you should see one neighbor in the FULLstate, which is the LNE OSPF process. If you enter the command show ip route ospf at the routerunder test, you should see the 20 routes or networks that were advertised by the LNE OSPF process.For example:

b4700a-pagent#2w6d: %OSPF-5-ADJCHG: Process 700, Nbr 1.1.1.1 on Ethernet2 from LOADING to FULL,Loading Doneb4700a-pagent#sho ip ospf neighbourNeighbor ID Pri State Dead Time Address Interface1.1.1.1 0 FULL/DROTHER 00:00:35 192.21.2.5 Ethernet2b4700a-pagent#b4700a-pagent#sho ip route ospfO 193.0.13.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.12.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.15.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.14.0/24 [110/60] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.9.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.8.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.11.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.10.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.5.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.4.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.7.0/24 [110/30] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.6.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.1.0/24 [110/30] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.16.0/24 [110/40] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.17.0/24 [110/50] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.0.0/24 [110/20] via 192.21.2.5, 00:01:52, Ethernet2O 193.0.3.0/24 [110/40] via 192.21.2.5, 00:01:53, Ethernet2O 193.0.18.0/24 [110/50] via 192.21.2.5, 00:01:53, Ethernet2O 193.0.19.0/24 [110/50] via 192.21.2.5, 00:01:53, Ethernet2O 193.0.2.0/24 [110/30] via 192.21.2.5, 00:01:53, Ethernet2

These are the console messages when the program is stopped:

a4700a-(OSPF:ON,Et2:1/1)#stop- OFF: OSPF Processes Stopped.

a4700a-(OSPF:OFF,Et2:1/1)#

TGN

The following configuration statements create a traffic stream from router PAGENT1 to dummy nodesin EDGE2-LAN. Router PAGENT2 acts as ARP responder providing MAC addresses for ARP requeststo dummy nodes. Please see also figure on page XXX.

The traffic flow uses 64 byte, 570 byte, 1518 byte IP packets with 7:4:1 distribution (imix).

Create ARP responder on router PAGENT2:



39

eth <interface>add arp respondername "EDGE2-LAN"ip-address 10.22.0.2 to 10.22.0.253mac-address <MAC-PAGENT2>

Create 64 byte flow on router PAGENT1:

eth <interface>add ipname "PAGENT1-to-EDGE2-64byte"rate 70length 64l2-encapsulation arpal2-dest-addr <MAC-EDGE1>l2-src-addr <MAC-PAGENT1>l2-protocol 0x0800l3-tos random 0x00 to 0x07l3-dest-addr random 10.22.0.2 to 10.22.0.253l3-src-addr random 10.21.0.2 to 10.21.0.253





Check traffic generation:



40

PAGENT1(TGN:ON,Et1/0:4/4)#show ip

Summary of IP traffic streams on Ethernet1/0ts# tos len id frag ttl protocol chksm source destination2 IP 00 20 0000 0000 60 0 6AB8 10.21.0.2 10.22.0.23 IP 00 20 0000 0000 60 0 6AB8 10.21.0.2 10.22.0.24 IP 00 20 0000 0000 60 0 6AB8 10.21.0.2 10.22.0.2

PAGENT1(TGN:ON,Et1/0:4/4)#PAGENT1(TGN:ON,Et1/0:4/4)#show rate

The rates are since traffic generation was started.

Summary of traffic stream rates on Ethernet1/0measured

ts# template state repeat interval/rate interval/rate packets_sent2 IP on 1 70 pps 3.216 1340713 IP on 1 40 pps 3.216 1340684 IP on 1 10 pps 3.216 134067

Totals for Ethernet1/0 9.649 402206

PAGENT1(TGN:ON,Et1/0:4/4)#



41

IP: 10.21.0.0/24

PAGENT2

EDGE2

EDGE1

PAGENT1

eth0

eth0

eth0

eth0

IP: 10.22.0.0/24

<MAC-PAGENT2>IP: 10.22.0.1

<MAC-PAGENT1>IP:10.21.0.254

<MAC-EDGE2>IP: 10.22.0.254

<MAC-EDGE1>IP: 10.21.0.1

eth 0add arp respondername "EDGE2-LAN"ip-address 10.22.0.2 to 10.22.0.253mac-address <MAC-PAGENT2>

eth 0add ipname "PAGENT1-to-EDGE2-64byte"rate 70length 64l2-encapsulation arpal2-dest-addr <MAC-EDGE1>l2-src-addr <MAC-PAGENT1>l2-protocol 0x0800l3-tos random 0x00 to 0x07l3-dest-addr random 10.22.0.2 to 10.22.0.253l3-src-addr random 10.21.0.2 to 10.21.0.253

Traffic Stream

Figure 5.1 Pagent TGN



42

5.9.3 Expect

Expect script rtr3 can be used to execute commands on a router. The script can be found on page107.

Figure 5.2 Expect script rtr3



43

5.9.4 Ploticus

Sometimes it is interesting to monitor CPU and memory utilization during an experiment. The followingprocedure allows creating CPU and memory graphs covering a time period of a few hours.

The procedure involves gathering router data using cron and an Expect script (rtr3). The data isgraphed using the Ploticus software (http://ploticus.sourceforge.net/).

zerberus.sh is a shell script that is executed by cron every five minutes. The script invokes rtr3 tocollect data from a router and store it a log file. It can be found on page 101ff.

cpu.pl is a Ploticus script that generates a CPU graph from the log file. It can be found on page101ff.

mem.pl is a Ploticus script that generates a memory graph from the log file. It can be found on page101ff.

Example graphs can be found on page 43 and 44.

Figure 5.3 Example of a Ploticus CPU utilization graph



44

Figure 5.4 Example of a Ploticus memory utilization graph



45

5.9.5 NRFU

• Table of FR PCVs

• CDP table

• OSPF table

• IS-IS table

• BGP



46

5.9.6 Cricket and RRDTool

TBD



47

5.9.7 MRTG

MRTG (http://www.mrtg.org) has been deployed as another method of monitoring CPU and memoryutilization during an experiment.

MRTG is installed on node Dinghy (from NetBSD pkgsource). MRTG configuration files are placed inthe directory /home/mrtg. MRTG generated files are placed in subdirectories of /home/mrtg/public_html.They can be access via the URL http://dinghy.brest.lab.

Templates for CPU and memory configuration files are stored in a RCS repository in /home/mrtg.

Monitoring a new router requires the following steps:

• Check out the files router_name-cpu_mrtg.conf and router_name-memory_mrtg.conf

• Individualize and rename the files router_name-cpu_mrtg.conf and router_name-memory_mrtg.conf

• Add the files <ROUTER_SHORT_NAME>-cpu_mrtg.conf and <ROUTER_SHORT_NAME>-memory_mrtg.confto mrtg.conf

• Create the directory /home/mrtg/public_html/<ROUTER_SHORT_NAME>

• Start or restart MRTG

Example configuration files can be found on page 104.

Example graphs can be found on page 48, 49 and 50.



48

Figure 5.5 Example of a MRTG CPU utilization graph



49

Figure 5.6 Example of a MRTG memory utilization graph



50

Figure 5.7 Example of a MRTG free memory graph



51

5.9.8 Ethereal (www.ethereal.com)

TBD

5.9.9 Etherape (etherape.sourceforge.net)

TBD


Network Services Authentication Services

52

5.10 Authentication Services

5.10.1 RADIUS

Host Dinghy provides RADIUS authentication service for lab routers. It runs the Cistron RADIUSdaemon (radiusd-cistron-1.6.6), which was installed from NetBSD package source. RADIUS configurationfiles reside in /usr/pkg/etc/raddb. Example configuration files can be found on page RADIUS isstarted using daemontools.

[email protected]# ll /service | grep radiusdlrwxr-xr-x 1 root wheel 20 Oct 1 17:41 radiusd -> /usr/pkg/etc/[email protected]#[email protected]# cat /service/radiusd/run#!/bin/shexec /usr/pkg/sbin/radiusd /usr/pkg/sbin/radiusd -f -s -d /usr/pkg/etc/raddb -p [email protected]#

Configuration commands for Cisco routers can be found on page xxx.


Network Services Security Toolkit

53

5.11 Security Toolkit

• Portsentry and Logcheck

• Nessus (www.nessus.org)

• Snort and Logsnorter (www.snort.org)

• Analysis Console for Intrusion Databases (ACID) (www.cert.org/kb/acid)

• nmap


54

A Configuration Log

A.1 Basic IPv4 Configuration

Router configuration files are split into device specific and common files. Device specific files configuremainly the transport and routing aspects. Common files configure generic functions such as NTP,SNMP, and administrative access.

A.1.1 Common Configuration - NTP, SNMP, Administrative Access

! $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $!! Generic commands, administrative access etc.!interface loopback1description $Id: common-confg,v 1.2 2002/10/25 14:15:13 markus Exp $!ip telnet source-interface Loopback0ip tftp source-interface Loopback0ip ftp source-interface Loopback0!ip domain-name brest.labip name-server 172.16.254.2 172.16.255.2!logging trap debugginglogging facility local4logging source-interface Loopback0logging 172.16.255.2!access-list 1 remark Hosts in this list are allowed telnet/SNMP accessaccess-list 1 permit 172.16.0.0 0.0.0.255access-list 1 permit 172.16.254.0 0.0.0.255access-list 1 permit 172.16.255.0 0.0.0.255!snmp-server community Brest-Lab RO 1!line vty 0 4access-class 1 intransport input telnet!ntp peer 172.16.0.1 source Loopback0 ! Core1ntp peer 172.16.0.2 source Loopback0 ! Core2ntp peer 172.16.0.3 source Loopback0 ! Core3ntp peer 172.16.0.11 source Loopback0 ! Edge1


Configuration Log Basic IPv4 Configuration

55

ntp peer 172.16.0.12 source Loopback0 ! Edge2ntp peer 172.16.3.2 source Loopback0 ! Edge3ntp peer 172.16.255.2 source Loopback0 ! Dinghyntp server 172.16.254.2 source Loopback0 prefer ! Anchor



56

A.1.2 Common Configuration - RADIUS

Two configuration files are provided here because IOS 12.0 is configured differently from IOS 12.2.

! $Id: common-radius-confg,v 1.2 2002/10/25 14:16:26 markus Exp $! RADIUS IOS 12.2!interface loopback2description $Id: common-radius-confg,v 1.2 2002/10/25 14:16:26 markus Exp $!aaa new-modelaaa authentication login LOCAL_AUTH localaaa authentication login RADIUS_AUTH group radius localaaa authentication enable default group radius enableaaa accounting send stop-record authentication failureaaa accounting exec default wait-start group radiusip radius source-interface loopback0!enable secret q1w2e3r4username admin password 1q2w3e4r!radius-server host 172.16.255.2 auth-port 1812 acct-port 1813radius-server key Brest-Lab!line con 0exec-timeout 0 0login authentication LOCAL_AUTHtransport input noneline aux 0exec-timeout 15 0login authentication LOCAL_AUTHline vty 0 4exec-timeout 15 0login authentication RADIUS_AUTH

This is the IOS 12.0 configuration:

! $Id: common-radius-oldstyle-confg,v 1.2 2002/10/25 14:17:39 markus Exp $! RADIUS IOS 12.0 -> no "group radius"!interface loopback 2description $Id: common-radius-oldstyle-confg,v 1.2 2002/10/25 14:17:39 markus Exp $!aaa new-modelaaa authentication login LOCAL_AUTH localaaa authentication login RADIUS_AUTH radius localaaa authentication enable default radius enableaaa accounting send stop-record authentication failureaaa accounting exec default wait-start radius



57

ip radius source-interface loopback0!enable secret q1w2e3r4username admin password 1q2w3e4r!radius-server host 172.16.255.2 auth-port 1812 acct-port 1813radius-server key Brest-Lab!line con 0exec-timeout 0 0login authentication LOCAL_AUTHtransport input noneline aux 0exec-timeout 15 0login authentication LOCAL_AUTHline vty 0 4exec-timeout 15 0login authentication RADIUS_AUTH



58

A.1.3 Router Core1 - IPv4

! $Id: core1-confg,v 1.3 2002/10/19 15:49:11 markus Exp $!version 12.0service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Core1!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4r!ip subnet-zeroip cef!frame-relay switching!interface Loopback0description $Id: core1-confg,v 1.3 2002/10/19 15:49:11 markus Exp $ip address 172.16.0.1 255.255.255.255no ip directed-broadcast!interface Ethernet0description Core1 LAN -> Dinghyip address 172.16.255.1 255.255.255.0no ip directed-broadcast!interface Serial0description Trunk link Core1 to Core2bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 200 interface Serial1 200frame-relay route 300 interface Serial1 300!interface Serial0.100 point-to-pointdescription Link Core1 to Core2bandwidth 256ip unnumbered Loopback0



59

no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 100!interface Serial0.400 point-to-pointdescription Link Core1 to Edge1bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPSframe-relay interface-dlci 400!interface Serial1description Trunk link Core1 to Core3bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 200 interface Serial0 200frame-relay route 300 interface Serial0 300!interface Serial1.100 point-to-pointdescription Link Core1 to Core3bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 100!router ospf 65000log-adjacency-changesnetwork 172.16.0.0 0.0.0.255 area 0network 172.16.255.0 0.0.0.255 area 0!ip classlessno ip pim bidir-enable!map-class frame-relay 256KBPSframe-relay traffic-rate 256000 512000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0



60

exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend



61


! $Id: core2-confg,v 1.3 2002/10/19 15:49:17 markus Exp $!version 12.0service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Core2!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4rip subnet-zeroip cef!frame-relay switching!interface Loopback0description $Id: core2-confg,v 1.3 2002/10/19 15:49:17 markus Exp $ip address 172.16.0.2 255.255.255.255no ip directed-broadcast!interface Ethernet0description Office LAN -> Anchorip address 172.16.254.254 255.255.255.0no ip directed-broadcast!interface Serial0description Access link Core2 to Edge1bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type dceframe-relay route 400 interface Serial1 400!interface Serial0.100 point-to-pointdescription Access link Core2 to Edge1bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPS



62

frame-relay interface-dlci 100!interface Serial1description Trunk link Core2 to Core1bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 400 interface Serial0 400!interface Serial1.100 point-to-pointdescription Trunk link Core2 to Core1bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 100!interface Serial1.200 point-to-pointdescription Trunk link Core2 to Core3bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 200!interface Serial1.300 point-to-pointdescription Access link Core2 to Edge2bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPSframe-relay interface-dlci 300!router ospf 65000log-adjacency-changesnetwork 172.16.0.0 0.0.0.255 area 0network 172.16.254.0 0.0.0.255 area 0!ip classlessno ip pim bidir-enable!map-class frame-relay 256KBPSframe-relay traffic-rate 256000 512000frame-relay adaptive-shaping becn



63

!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend



64


! $Id: core3-confg,v 1.3 2002/10/12 14:30:02 markus Exp $!version 12.0service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Core3!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4rip subnet-zeroip cef!frame-relay switching!interface Loopback0description $Id: core3-confg,v 1.3 2002/10/12 14:30:02 markus Exp $ip address 172.16.0.3 255.255.255.255no ip directed-broadcast!interface Ethernet0description Trunk link Core3 to Core4ip address 172.16.3.1 255.255.255.252no ip directed-broadcast!interface Serial0description Trunk link Core3 to Core1bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type nniframe-relay route 300 interface Serial1 300!interface Serial0.100 point-to-pointdescription Trunk link Core3 to Core1bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPS



65

frame-relay interface-dlci 100!interface Serial0.200 point-to-pointdescription Trunk link Core3 to Core2bandwidth 256ip unnumbered Loopback0no ip directed-broadcastframe-relay class 256KBPSframe-relay interface-dlci 200!interface Serial1description Access link Core3 to Edge2bandwidth 2000no ip addressno ip directed-broadcastencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansiframe-relay intf-type dceframe-relay route 300 interface Serial0 300!interface Serial1.100 point-to-pointdescription Access link Core3 to Edge2bandwidth 64ip unnumbered Loopback0no ip directed-broadcastframe-relay class 64KBPSframe-relay interface-dlci 100!router ospf 65000log-adjacency-changesnetwork 172.16.0.0 0.0.0.255 area 0network 172.16.3.0 0.0.0.255 area 0!ip classlessno ip pim bidir-enable!map-class frame-relay 256KBPSframe-relay traffic-rate 256000 512000frame-relay adaptive-shaping becn!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login local



66

line aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend



67


[file 910-Configuration-Log/core4-confg does not exist]



68

A.1.7 Router Edge1 - IPv4

! $Id: edge1-confg,v 1.4 2002/10/19 15:49:02 markus Exp $!version 12.2service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Edge1!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4r!ip subnet-zeroip cef!interface Loopback0description $Id: edge1-confg,v 1.4 2002/10/19 15:49:02 markus Exp $ip address 172.16.0.11 255.255.255.255!interface Ethernet0description Edge1 LAN (to CPE)ip address 10.1.1.1 255.255.255.0!interface Serial0description *** unused ***no ip addressshutdown!interface Serial1description Access link Edge1 to Core2bandwidth 2000no ip addressencapsulation frame-relayno fair-queueframe-relay traffic-shapingframe-relay lmi-type ansi!interface Serial1.100 point-to-pointdescription Access link Edge1 to Core2bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPSframe-relay interface-dlci 100!interface Serial1.400 point-to-point



69

description Access link Edge1 to Core1bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPSframe-relay interface-dlci 400!router ospf 65000log-adjacency-changesnetwork 10.1.1.0 0.0.0.255 area 10.1.1.0network 172.16.0.0 0.0.0.255 area 0!ip classlessno ip http serverip pim bidir-enable!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend



70


! $Id: edge2-confg,v 1.2 2002/09/28 18:50:32 markus Exp $!version 12.2service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname Edge2!enable secret q1w2e3r4username admin password 1q2w3e4rusername system password managerusername markus password 1q2w3e4r!ip subnet-zeroip cef!interface Loopback0description $Id: edge2-confg,v 1.2 2002/09/28 18:50:32 markus Exp $ip address 172.16.0.12 255.255.255.255!interface Ethernet0description Edge2 LAN (to CPE)ip address 10.2.1.1 255.255.255.0!interface Serial0description Access link Edge2 to Core3bandwidth 2000no ip addressencapsulation frame-relayno fair-queueclockrate 2000000frame-relay traffic-shapingframe-relay lmi-type ansi!interface Serial0.100 point-to-pointdescription Access link Edge2 to Core3bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPSframe-relay interface-dlci 100!interface Serial0.300 point-to-pointdescription Access link Edge2 to Core2bandwidth 64ip unnumbered Loopback0frame-relay class 64KBPS



71

frame-relay interface-dlci 300!interface Serial1description *** unused ***no ip addressshutdown!interface BRI0no ip addressshutdown!router ospf 65000log-adjacency-changesnetwork 10.2.1.0 0.0.0.255 area 10.2.1.0network 172.16.0.0 0.0.0.255 area 0!ip classlessno ip http serverno ip pim bidir-enable!map-class frame-relay 64KBPSframe-relay traffic-rate 64000 128000frame-relay adaptive-shaping becn!line con 0exec-timeout 0 0login localline aux 0exec-timeout 15 0login localline vty 0 4exec-timeout 15 0login localtransport input telnetend



72

A.1.9 Router Zerberus - IPv4

[file 910-Configuration-Log/zerberus-confg does not exist]



73

A.1.10 Host Anchor - IPv4

[file 910-Configuration-Log/anchor-confg does not exist]



74

A.1.11 Host Dinghy - IPv4

/etc/rc.conf

[email protected]# cat /etc/rc.conf# $NetBSD: rc.conf,v 1.96 2000/10/14 17:01:29 wiz Exp $## see rc.conf(5) for more information.## Use program=YES to enable program, NO to disable it. program_flags are# passed to the program on the command line.#

# Load the defaults in from /etc/defaults/rc.conf (if it’s readable).# These can be overridden below.#if [ -r /etc/defaults/rc.conf ]; then

. /etc/defaults/rc.conffi

# If this is not set to YES, the system will drop into single-user mode.#rc_configured=YES

## Add local overrides below#

# Web serverthttpd=YES

# Loggingsyslogd=YES syslogd_flags="" # Allow remote boxes to use syslogdnewsyslog=YES newsyslog_flags="" # Trim log files

# NTPntpd=YES

# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/gated

/etc/rc.local

[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.29 2000/10/07 00:22:44 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94



75

## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#

echo -n ’starting local daemons:’

# Add your local daemons here.#

# Enable ip forwardingsysctl -w net.inet.ip.forwarding=1sysctl -w net.inet6.ip6.forwarding=1

#if [ -f /usr/pkg/etc/rc.d/apache ]; then# /usr/pkg/etc/rc.d/apache start#fi

echo ’.’

## We’re using Daemontools to manage local services - starting svscan#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’

/etc/ifconfig.sq0

[email protected]# cat /etc/ifconfig.sq0up172.16.255.2 netmask 0xffffff00

/etc/syslog.conf

[email protected]# cat /etc/syslog.conf# $NetBSD: syslog.conf,v 1.7 2001/02/12 06:08:31 mycroft Exp $

local4.* /var/log/router.log

*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messageskern.debug /var/log/messages

# The authpriv log file should be restricted access; these# messages shouldn’t go to terminals or publically-readable



76

# files.auth,authpriv.info /var/log/authlog

cron.info /var/cron/logftp.info /var/log/xferloglpr.info /var/log/lpd-errsmail.info /var/log/maillog#uucp.info /var/spool/uucp/ERRORS

*.emerg **.notice root

/etc/newsyslog.conf

[email protected]# cat /etc/newsyslog.conf# $NetBSD: newsyslog.conf,v 1.15 2002/03/29 02:47:26 heinz Exp $## Configuration file for newsyslog(8).## logfilename [owner:group] mode ngen size when flags [/pidfile] [sigtype]#/var/cron/log root:wheel 600 3 10 * Z/var/log/aculog uucp:dialer 640 7 * 24 Z/var/log/authlog 600 5 30 * Z/var/log/kerberos.log 640 7 * 24 ZN/var/log/lpd-errs 640 7 10 * Z/var/log/maillog 600 7 * 24 Z/var/log/messages 644 5 30 * Z/var/log/wtmp 644 7 * 168 ZBN/var/log/xferlog 640 7 250 * Z/var/log/gated.log 644 5 30 * Z/var/log/router.log 644 5 30 * Z

/etc/ntp.conf

[email protected]# cat /etc/ntp.conf# $Id$# Network Time Protocol (NTP) configuration file for ntpd

# Process ID file, so that the daemon can be signalled from scripts

pidfile /var/run/ntpd.pid

# The correction calculated by ntpd(8) for the local system clock’s# drift is stored here

driftfile /var/db/ntp.drift

# suppress the syslog(3) message for each peer synchronization change

logconfig -syncstatus



77

# Hereafter should be "server" or "peer" statements to configure# other hosts to exchange NTP packets with.## Ideally, you should select at least three other systems to talk# NTP with, for an "what I tell you three times is true" effect.

server anchor.brest.labpeer core1.brest.labpeer core2.brest.labpeer core2.brest.labpeer edge1.brest.labpeer edge2.brest.labpeer edge3.brest.lab

/etc/gated.conf

[email protected]# ll /service/total 0lrwxr-xr-x 1 root wheel 21 Oct 1 14:09 gated -> /usr/local/etc/gated/lrwxr-xr-x 1 root wheel 19 Sep 17 11:33 thttpd -> /usr/pkg/etc/thttpdlrwxr-xr-x 1 root wheel 18 Sep 30 16:25 zebra -> /usr/pkg/etc/[email protected]#[email protected]# cat /service/gated/run#!/bin/shexec /usr/local/sbin/gated -N -f /etc/gated.conf /var/log/[email protected]#[email protected]# cat /etc/gated.confospf yes {

backbone {interface sq0;

};};[email protected]#


Configuration Log IPv6 Configuration

78

A.2 IPv6 Configuration

A.2.1 Router Anchor - IPv6

Anchor serves as IPv6 hub router and route reflector.

/etc/rc.conf





# Add local overrides below#


# NTPntpd=YES

# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/ospfd

# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip.forwarding=1# Routing daemons are started via daemontools



79

# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or routerip6sitelocal=YES # IPv6 sitelocal addrsrtsol=NO rtsol_flags="-a" # for ip6mode=autohost onlyrtadvd=YES rtadvd_flags="tlp0"

## NFS server => netboot the Indy## rpcbind=YES rpcbind_flags="-l"# nfs_server=YES# lockd=YES# statd=YES## DHCPd => netboot the Indy#dhcpd=YES dhcpd_flags="-q tlp0"[email protected]#

/etc/rc.local

[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.29 2000/10/07 00:22:44 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#




## We’re using Daemontools to start local services - starting svscan now#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’[email protected]#



80

/etc/ifconfig.*

[email protected]# cat /etc/ifconfig.lo0inet6 fefe::a prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.tlp0up172.16.254.2 netmask 0xffffff00 media 10baseTinet6 fefe:a::1 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.gif0createtunnel 172.16.254.2 172.16.255.2inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.254.2 172.16.0.11inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif2createtunnel 172.16.254.2 172.16.0.12inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif3createtunnel 172.16.254.2 10.3.1.1inet6 [email protected]#

/etc/zebra.conf

!! $Id: anchor-ipv6-zebra.conf,v 1.2 2002/10/23 18:18:55 markus Exp $!hostname Anchor(zebra)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/zebra.log!interface tlp0description Office LANipv6 address fefe:a::1/64ipv6 nd suppress-ra!interface ep0description ***unused***ipv6 nd suppress-ra!



81

interface lo0description $Id: anchor-ipv6-zebra.conf,v 1.2 2002/10/23 18:18:55 markus Exp $ipv6 address fefe::a/128!interface ppp0description ***unused***ipv6 nd suppress-ra!interface ppp1description ***unused***ipv6 nd suppress-ra!interface ppp2description ***unused***ipv6 nd suppress-ra!interface ppp3description ***unused***ipv6 nd suppress-ra!interface sl0description ***unused***ipv6 nd suppress-ra!interface sl1description ***unused***ipv6 nd suppress-ra!interface sl2description ***unused***ipv6 nd suppress-ra!interface sl3description ***unused***ipv6 nd suppress-ra!interface gif0description IPv6 tunnel to router Dinghyipv6 nd suppress-ra!interface gif1description IPv6 tunnel to router Edge1ipv6 nd suppress-ra!interface gif2description IPv6 tunnel to router Edge2ipv6 nd suppress-ra!interface gif3



82

description ***unused***ipv6 nd suppress-ra!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ipv6 route fefe::d/128 gif0ipv6 route fefe::e1/128 gif1 253ipv6 route fefe::e2/128 gif2 253!!line vty!

/etc/bgpd.conf

!! $Id: anchor-ipv6-bgpd.conf,v 1.1 2002/10/23 15:55:26 markus Exp $!hostname Anchor(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!*! Edge1neighbor fefe::e1 remote-as 65000neighbor fefe::e1 update-source lo0no neighbor fefe::e1 activate!*! Edge2neighbor fefe::e2 remote-as 65000neighbor fefe::e2 update-source lo0no neighbor fefe::e2 activate!address-family ipv6redistribute connectedredistribute staticneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge1neighbor fefe::d peer-group MESHneighbor fefe::e1 activateneighbor fefe::e1 route-reflector-clientneighbor fefe::e1 next-hop-self



83

neighbor fefe::e1 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge2neighbor fefe::e2 activateneighbor fefe::e2 route-reflector-clientneighbor fefe::e2 next-hop-selfneighbor fefe::e2 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::a!line vty!



84

A.2.2 Router Dinghy - IPv6

Dinghy serves as IPv6 hub router and route reflector.

/etc/rc.conf





## Add local overrides below#thttpd=YES


# NTPntpd=YES

# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/gated

# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip6.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra



85

# -> /service/bgpdip6mode=routerip6sitelocal=YESrtadvd=YES rtadvd_flags="sq0"rtsol=NO rtsol_flags="-a" # for ip6mode=autohost [email protected]#

/etc/rc.local

[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.29 2000/10/07 00:22:44 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#



# RADIUS#if [ -f /usr/pkg/etc/rc.d/radiusd ]; then# /usr/pkg/etc/rc.d/radiusd start#fi#echo ’-> radiusd’


## We’re using Daemontools to manage local services - starting svscan#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’[email protected]#

/etc/ifconfig.*

[email protected]# cat /etc/ifconfig.lo0inet6 fefe::d prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.sq0up



86

172.16.255.2 netmask 0xffffff00inet6 fefe:d::1 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.gif0createtunnel 172.16.255.2 172.16.254.2inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.255.2 172.16.0.11inet6 [email protected]#[email protected]# cat /etc/ifconfig.gif2createtunnel 172.16.255.2 172.16.0.12inet6 [email protected]#

/etc/zebra.conf

!! $Id: dinghy-ipv6-zebra.conf,v 1.1 2002/10/23 16:00:32 markus Exp $!hostname Dinghy(zebra)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/zebra.log!interface sq0description To routers Core4 (IPv4, IPv6) and Core1 (IPv4)ipv6 address fefe:d::1/64ipv6 nd suppress-ra!interface lo0description $Id: dinghy-ipv6-zebra.conf,v 1.1 2002/10/23 16:00:32 markus Exp $ipv6 address fefe::d/128!interface ppp0description ***unused***ipv6 nd suppress-ra!interface ppp1description ***unused***ipv6 nd suppress-ra!interface sl0description ***unused***ipv6 nd suppress-ra!



87

interface sl1description ***unused***ipv6 nd suppress-ra!interface strip0description ***unused***ipv6 nd suppress-ra!interface strip1description ***unused***ipv6 nd suppress-ra!interface gif0description IPv6 tunnel to router Anchoripv6 nd suppress-ra!interface gif1description IPv6 tunnel to router Edge1ipv6 nd suppress-ra!interface gif2description IPv6 tunnel to router Edge2ipv6 address fefe:bb:d::5/126ipv6 nd suppress-ra!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ipv6 route fefe::a/128 gif0ipv6 route fefe::e1/128 gif1 253ipv6 route fefe::e2/128 gif2 253ipv6 route fefe::e3/128 fefe:d::2 253!!line vty!

/etc/bgpd.conf

!! $Id: dinghy-ipv6-bgpd.conf,v 1.1 2002/10/23 16:00:40 markus Exp $!hostname Dinghy(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000



88

neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!*! Edge1neighbor fefe::e1 remote-as 65000neighbor fefe::e1 update-source lo0no neighbor fefe::e1 activate!*! Edge2neighbor fefe::e2 remote-as 65000neighbor fefe::e2 update-source lo0no neighbor fefe::e2 activate!*! Edge3 (Core4)neighbor fefe::e3 remote-as 65000neighbor fefe::e3 update-source lo0no neighbor fefe::e3 activate!address-family ipv6redistribute connectedredistribute staticneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group MESH!*! Edge1neighbor fefe::e1 activateneighbor fefe::e1 route-reflector-clientneighbor fefe::e1 next-hop-selfneighbor fefe::e1 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge2neighbor fefe::e2 activateneighbor fefe::e2 route-reflector-clientneighbor fefe::e2 next-hop-selfneighbor fefe::e2 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out!*! Edge3neighbor fefe::e3 activateneighbor fefe::e3 route-reflector-clientneighbor fefe::e3 next-hop-selfneighbor fefe::e3 route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::d!line vty!



89


The following commands add IPv6 to the base IPv4 configuration of the router.

! $Id: edge1-ipv6-confg,v 1.12 2002/10/25 14:20:23 markus Exp $!! Add IPv6 to the IPv4 configuration of router Edge1!ipv6 unicast-routing!! Configure interfaces!interface loopback 0ipv6 address fefe::e1/128exit!interface loopback 20description $Id: edge1-ipv6-confg,v 1.12 2002/10/25 14:20:23 markus Exp $!interface ethernet 0ipv6 address fefe:e1::1/64exit!interface tunnel 0description IPv6 tunnel to router Anchoripv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.254.2tunnel mode ipv6ipexit!interface tunnel 1description IPv6 tunnel to router Dinghyipv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.255.2tunnel mode ipv6ipexit!! Configure BGP Routing!ipv6 route fefe::a/128 Tunnel0ipv6 route fefe::d/128 Tunnel1!router bgp 65000no synchronizationbgp log-neighbor-changes



90

bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activateno auto-summary!address-family ipv6neighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS send-communityneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSno synchronizationredistribute connectedexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10description Set next hop to global IPv6 addr; default is using link local IPv6 addrset ipv6 next-hop fefe::e1!! Configure RIPv6 Routing!ipv6 router rip EDGE-LANdistance 254redistribute bgp 65000 metric 10distribute-list prefix-list DENY_ALL in!ipv6 prefix-list DENY_ALL seq 5 deny ::/0!interface Ethernet0ipv6 rip EDGE-LAN enable!! End of module IPv6-Edge1



91


The following commands add IPv6 to the base IPv4 configuration of the router.

! $Id: edge2-ipv6-confg,v 1.14 2002/10/25 14:21:15 markus Exp $!! Add IPv6 to the IPv4 configuration of router Edge2!ipv6 unicast-routing!! Configure interfaces!interface loopback 0ipv6 address fefe::e2/128exit!interface loopback 20description $Id: edge2-ipv6-confg,v 1.14 2002/10/25 14:21:15 markus Exp $!interface ethernet 0ipv6 address fefe:e2::1/64exit!interface tunnel 0description IPv6 tunnel to router Anchoripv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.254.2tunnel mode ipv6ipexit!interface tunnel 1description IPv6 tunnel to router Dinghyipv6 unnumbered loopback 0ipv6 enabletunnel source loopback 0tunnel destination 172.16.255.2tunnel mode ipv6ipexit!! Configure BGP Routing!ipv6 route fefe::a/128 Tunnel0ipv6 route fefe::d/128 Tunnel1!router bgp 65000no synchronizationbgp log-neighbor-changes



92

bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activateno auto-summary!address-family ipv6neighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS send-communityneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSno synchronizationredistribute connectedexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10description Set next hop to global IPv6 addr; default is using link local IPv6 addrset ipv6 next-hop fefe::e2!! Configure RIPv6 Routing!ipv6 router rip EDGE-LANdistance 254redistribute bgp 65000 metric 10distribute-list prefix-list DENY_ALL in!ipv6 prefix-list DENY_ALL seq 5 deny ::/0!interface Ethernet0ipv6 rip EDGE-LAN enable!! End of module IPv6-Edge2



93


/etc/rc.conf

[email protected]# cat /etc/rc.conf# $NetBSD: rc.conf,v 1.85.2.9 2001/04/24 22:42:44 he Exp $## see rc.conf(5) for more information.## Use program=YES to enable program, NO to disable it. program_flags are# passed to the program on the command line.#




# Add local overrides below#

# Consolewscons=YES

# Loggingnewsyslog=YES newsyslog_flags="" # Trim log files

# NTPntpd=YES

# MPLS - AYAME# Interface options are set in rc.local# -> /usr/ayame/sbin/ifconfig lo0 mtu 1500# -> /usr/ayame/sbin/ifconfig lo0 mpls 0:0# Multicast route is set in rc.local# -> route add -net 224.0.0.0 -netmask 255.0.0.0 127.0.0.1# Kernel options are set in rc.local# -> /usr/ayame/sbin/sysctl -w net.mpls.mapttl_ip=0# Daemons are started via daemontools# -> /service/ayamed# -> /service/ldpdmpls=YES



94

# IPv4 routing# IPv4 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/ospfd

# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or router#ip6sitelocal=YES # IPv6 sitelocal addrs -> NetBSD 1.6rtsol=NO rtsol_flags="-a" # for ip6mode=autohost onlyrtadvd=YES rtadvd_flags="ne2"[email protected]#

/etc/rc.local

[email protected]# cat /etc/rc.local# $NetBSD: rc.local,v 1.25.10.2 2000/10/07 20:21:35 hubertf Exp $# originally from: @(#)rc.local 8.3 (Berkeley) 4/28/94## This file is (nearly) the last thing invoked by /etc/rc during a# normal boot, via /etc/rc.d/local.## It is intended to be edited locally to add site-specific boot-time# actions, such as starting locally installed daemons.## An alternative option is to create site-specific /etc/rc.d scripts.#


# Add your local daemons here.## Enable ip forwardingsysctl -w net.inet.ip.forwarding=1sysctl -w net.inet6.ip6.forwarding=1

# MPLS - AYAME# Interface options/usr/ayame/sbin/ifconfig lo0 mtu 1500/usr/ayame/sbin/ifconfig lo0 mpls 0:0# Multicast routeroute add -net 224.0.0.0 -netmask 255.0.0.0 127.0.0.1# Kernel options/usr/ayame/sbin/sysctl -w net.mpls.mapttl_ip=0



95

# Daemons are started via daemontools# -> /service/ayamed# -> /service/ldpd

## We’re using Daemontools to start local services - starting svscan now#env - PATH=/usr/local/bin:/usr/pkg/bin:/usr/pkg/sbin:/usr/sbin:/usr/bin:/bin csh -cf ’svscan /service &’

# German keyboardwsconsctl -k -w [email protected]#

/etc/ifconfig.*

[email protected]# cat /etc/ifconfig.lo0inet6 fefe::e3 prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.rtk0172.16.3.2 netmask 0xfffffffc media [email protected]#[email protected]# cat /etc/ifconfig.rtk1172.16.255.4 netmask 0xffffff00 media 10baseTinet6 fefe:d::2 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.ne210.3.1.1 netmask 0xffffff00 media autoselectinet6 fefe:e3::1 prefixlen 64 [email protected]#[email protected]# cat /etc/ifconfig.gif0createtunnel 10.3.1.1 172.16.254.2inet6 [email protected]#

/etc/zebra.conf

[email protected]# cat /etc/zebra.conf!! Zebra configuration saved from vty! 2002/10/12 20:04:09!hostname Core4(zebra)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/zebra.log!debug zebra events!interface ne2



96

description Edge LANipv6 nd suppress-ra!interface rtk0description IPv4-only link to Core3ipv6 nd suppress-ra!interface rtk1description IPv4/IPv6 link to Core1 and Dinghyipv6 nd suppress-ra!interface lo0description Loopback for BGP peering (IPv6)!interface ppp0ipv6 nd suppress-ra!interface ppp1ipv6 nd suppress-ra!interface sl0ipv6 nd suppress-ra!interface sl1ipv6 nd suppress-ra!interface strip0ipv6 nd suppress-ra!interface strip1ipv6 nd suppress-ra!interface tun0ipv6 nd suppress-ra!interface tun1ipv6 nd suppress-ra!interface gre0ipv6 nd suppress-ra!interface gre1ipv6 nd suppress-ra!interface ipip0ipv6 nd suppress-ra!interface ipip1ipv6 nd suppress-ra



97

!interface gif0description IPv6 tunnel to router Anchoripv6 nd suppress-ra!interface gif1description IPv6 tunnel to router Dinghyipv6 nd suppress-ra!interface gif2ipv6 nd suppress-ra!interface gif3ipv6 nd suppress-ra!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ipv6 route fefe::a/128 gif0ipv6 route fefe::d/128 fefe:d::1!!line [email protected]#

/etc/bgpd.conf

[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/12 20:11:10!hostname Core4(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activate!address-family ipv6redistribute connectedneighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 out



98

neighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::e3!line [email protected]#


Configuration Log RADIUS

99

A.3 RADIUS

The following files configure RADIUS on host Dinghy.

/usr/pkg/etc/raddb/clients

[email protected]# cat /usr/pkg/etc/raddb/clients## clients This file contains a list of clients which are allowed to# make authentication requests and their encryption key.## Description of the fields:## * The first field is a valid hostname or IP address# for the client.# * The second field (seperated by blanks or tabs) is the# encryption key.

# Client Name Key#---------------- ----------core1.brest.lab Brest-Labcore2.brest.lab Brest-Labcore3.brest.lab Brest-Labedge1.brest.lab Brest-Labedge2.brest.lab Brest-Labedge3.brest.lab Brest-Lab

/usr/pkg/etc/raddb/naslist

[email protected]# cat /usr/pkg/etc/raddb/naslist## naslist This file contains a list of NASes (Network Access Servers,# also known as terminal servers) which we know.## Description of the fields:## * The first field is a valid hostname or IP address# for the client. It’s matched against the NAS-IP-Address# sent in the radius packets by the client.# * The second field (seperated by blanks or tabs) is the# short name we use in the logfiles for this NAS.# This means /var/log/radacct/<shortname>/detail,# and Sxx:<shortname> in the radwtmp file.# * The third field defines what type of device it is. Valid# values are "livingston", "cisco", etc etc.# This is used to find out how to detect simultaneous logins.# Please read doc/README.simul for further information.## You can use DEFAULT as a catch-all.#


Configuration Log RADIUS

100

# NAS Name Short Name Type#---------------- ---------- ----core1.brest.lab core1 ciscocore2.brest.lab core2 ciscocore3.brest.lab core3 ciscoedge1.brest.lab edge1 ciscoedge2.brest.lab edge2 ciscoedge3.brest.lab edge3 otherDEFAULT default other

/usr/pkg/etc/raddb/users

[email protected]# cat /usr/pkg/etc/raddb/users## This file contains security and configuration information# for each user.#

## This is the enable password used for all of our routers.#$enab15$ Auth-Type = Local, Password = "q1w2e3r4"

Service-Type = Administrative-User

## All accounts are checked against the UNIX /etc/passwd# unless a password was already given earlier in this file.#DEFAULT Auth-Type = System

Fall-Through = 1

#


Configuration Log Ploticus

101

A.4 Ploticus

zerberus.sh

# $Id: zerberus.sh,v 1.1 2002/08/22 19:21:39 markus Exp $

date +"%Y%m%d %H:%M" >> /home/markus/log/zerberus-cpu.logrtr2 zerberus show proc cpu | grep CPU >> /home/markus/log/zerberus-cpu.log

date +"%Y%m%d %H:%M" >> /home/markus/log/zerberus-memory.logrtr2 zerberus show proc mem | grep Total: >> /home/markus/log/zerberus-memory.log

cpu.pl

// $Id: cpu.pl,v 1.1 2002/08/22 19:21:13 markus Exp $#proc getdata

file: ../log/zerberus-cpu.logdelim: spacefieldnames: datestamp timestamp CPU utilization for five seconds: crap one minute: cpu-

1 five minutes: cpu-5showresults: yes

#proc areadefareaname: standardtitle: CPU Utilization (5 Minute Moving Average)titledetails: align=C size=12 style=B adjust=0,0.2rectangle: 1 1 7.5 4xscaletype: time hh:mm//xautorange: datafield=timestampxrange: 17:00 20:00yscaletype: linearyrange: 0 100frame: yes

#proc xaxisgrid: color=oceanbluegridskip: minmaxlabel: Timelabeldetails: size=10 style=B adjust=0,-0.4stubs: incremental 5stubformat: hh:mmstubvert: yes

#proc yaxisgrid: color=oceanbluegridskip: minmaxlabel: Percentlabeldetails: size=10 style=Bstubs: incremental 10



102

#proc lineplotxfield: timestampyfield: cpu-5stairstep: yes// gapmissing: yes // Documented on the web site but not available in my ploticusnumbers: yeslinedetails: width=2 color=green//fill: greenlegendlabel: Moving average over 5 minutes read from router

//#proc curvefit// curvetype: movingavg// xfield: timestamp// yfield: cpu-5// order: 12// linedetails: color=red// legendlabel: Moving average over 60 min

//#proc legend// location: min+1 min-0.5// format: singleline

mem.pl

// $Id: mem.pl,v 1.1 2002/08/22 19:21:22 markus Exp $#proc getdata

file: ../log/zerberus-memory.logdelim: spacefieldnames: datestamp timestamp Total: total-mem Used: used-mem Free: free-memshowresults: yes

#proc areadefareaname: standardtitle: Processor Memory Utilization (5 Minute)titledetails: align=C size=12 style=B adjust=0,0.2rectangle: 1 1 7.5 4xscaletype: time hh:mm//xautorange: datafield=timestampxrange: 17:00 20:00yscaletype: linearyrange: 0 16384000 // Adopt this to the processor memory in the router;

// Zerberus has 16MB, 14MB are processor memoryframe: yes

#proc xaxisgrid: color=oceanbluegridskip: minmaxlabel: Timelabeldetails: size=10 style=B



103

labeldistance: 0.65stubs: incremental 5stubformat: hh:mmstubvert: yes

#proc yaxisgrid: color=oceanbluegridskip: minmaxlabel: Bytelabeldetails: size=10 style=Blabeldistance: 0.75stubs: incremental 1000000 //1048576stubformat: %3.0f

#proc lineplotxfield: timestampyfield: total-memstairstep: yes//gapmissing: yes // Documented on the web site but not available in my ploticuslinedetails: width=2 color=bluelegendlabel: Total memory

#proc lineplotxfield: timestampyfield: used-memstairstep: yes//gapmissing: yes // Documented on the web site but my ploticus complainslinedetails: width=2 color=redlegendlabel: Used memory

#proc lineplotxfield: timestampyfield: free-memstairstep: yes//gapmissing: yes // Documented on the web site but not available in my ploticuslinedetails: width=2 color=greenlegendlabel: Free memory

#proc legendlocation: min+0.75 min-0.65format: singleline


Configuration Log MRTG

104

A.5 MRTG

mrtg.conf

## $Id: mrtg.conf,v 1.1 2002/09/23 18:09:46 mrtg Exp $#

## Set global options#WorkDir: /home/mrtg/public_htmlRunAsDaemon:YesRefresh: 300Interval: 5WriteExpires: Yes#Language: german

## Load per-router configuration files#Include: edge1-cpu_mrtg.confInclude: edge1-memory_mrtg.conf

Include: edge2-cpu_mrtg.confInclude: edge2-memory_mrtg.conf

Include: hub1-cpu_mrtg.confInclude: hub1-memory_mrtg.conf

router name-cpu mrtg.conf

# $Id: router_name-cpu_mrtg.conf,v 1.2 2002/09/25 12:58:08 root Exp $## Graph CPU load of a Cisco router## OID avgBusy5 1.3.6.1.4.1.9.2.1.58.0# 5 minute exponentially-decayed moving# average of the CPU busy percentage.## OID avgBusy1 1.3.6.1.4.1.9.2.1.57.0# 1 minute exponentially-decayed moving# average of the CPU busy percentage.

# Replace this variables to individalize this template:# <ROUTER_NAME># <ROUTER_SHORT_NAME># <SNMP_COMMUNITY>



105

Target[cpu-<ROUTER_SHORT_NAME>]: 1.3.6.1.4.1.9.2.1.58.0&1.3.6.1.4.1.9.2.1.57.0:<SNMP_COMMUNITY>@<ROUTER_NAME>RouterUptime[cpu-<ROUTER_SHORT_NAME>]: <SNMP_COMMUNITY>@<ROUTER_NAME>Supress[cpu-<ROUTER_SHORT_NAME>]: wmyPageTop[cpu-<ROUTER_SHORT_NAME>]: <H1>CPU Statistics for Router <ROUTER_SHORT_NAME></H1>Title[cpu-<ROUTER_SHORT_NAME>]: CPU Statistics for Router <ROUTER_SHORT_NAME>PageFoot[cpu-<ROUTER_SHORT_NAME>]: <P>Data for OIDs "avgBusy5" and "avgBusy1" is collected in 5 minute intervals.</P>MaxBytes[cpu-<ROUTER_SHORT_NAME>]: 100Directory[cpu-<ROUTER_SHORT_NAME>]: <ROUTER_SHORT_NAME>Options[cpu-<ROUTER_SHORT_NAME>]: gauge, growright, unknaszero, nobannerColours[cpu-<ROUTER_SHORT_NAME>]: RED#ff0000,BLUE#1000ff,GREEN#006600,VIOLET#ff00ffYLegend[cpu-<ROUTER_SHORT_NAME>]: PercentShortLegend[cpu-<ROUTER_SHORT_NAME>]: %Legend1[cpu-<ROUTER_SHORT_NAME>]: 5 minute average of CPU busyLegend2[cpu-<ROUTER_SHORT_NAME>]: 1 minute average of CPU busyLegendI[cpu-<ROUTER_SHORT_NAME>]: 5min:LegendO[cpu-<ROUTER_SHORT_NAME>]: 1min:

router name-memory mrtg.conf

# $Id: router_name-memory_mrtg.conf,v 1.2 2002/09/25 13:40:06 root Exp $## Graph memory utilization of a Cisco router## OID ciscoMemoryPoolUsed 1.3.6.1.4.1.9.9.48.1.1.1.5.0# Indicates the number of bytes from the memory pool# that are currently in use by applications on the# managed device.# OID ciscoMemoryPoolFree 1.3.6.1.4.1.9.9.48.1.1.1.6.0# Indicates the number of bytes from the memory pool# that are currently unused on the managed device.# Note that the sum of ciscoMemoryPoolUsed and# ciscoMemoryPoolFree is the total amount of memory# in the pool# OID ciscoMemoryPoolLargestFree 1.3.6.1.4.1.9.9.48.1.1.1.7.0# Indicates the largest number of contiguous bytes# from the memory pool that are currently unused on# the managed device.

# Replace this variables to individalize this template:# <ROUTER_NAME># <ROUTER_SHORT_NAME># <SNMP_COMMUNITY># <PHYSICAL_MEMORY> Amount of DRAM (in MB) present in the router.# <PROCESSOR_MEMORY> Use the value from the "show version display" (in byte)

Target[mem-<ROUTER_SHORT_NAME>]: 1.3.6.1.4.1.9.9.48.1.1.1.5.0&1.3.6.1.4.1.9.9.48.1.1.1.6.0:<SNMP_COMMUNITY>@<ROUTER_NAME>RouterUptime[mem-<ROUTER_SHORT_NAME>]: <SNMP_COMMUNITY>@<ROUTER_NAME>Supress[mem-<ROUTER_SHORT_NAME>]: wmyPageTop[mem-<ROUTER_SHORT_NAME>]: <H1>Memory Statistics for Router <ROUTER_SHORT_NAME></H1>

<P>Router has <PHYSICAL_MEMORY> MB of DRAM installed.



106

<PROCESSOR_MEMORY> Byte are used as processor memory.</P>Title[mem-<ROUTER_SHORT_NAME>]: Memory Statistics for Router <ROUTER_SHORT_NAME>PageFoot[mem-<ROUTER_SHORT_NAME>]: <P>Data for OIDs is collected in 5 minute intervals.</P>

<P>The sum of ciscoMemoryPoolUsed and ciscoMemoryPoolFreeis the total amount of memory in the pool.</P>

MaxBytes[mem-<ROUTER_SHORT_NAME>]: <PROCESSOR_MEMORY>Unscaled[mem-<ROUTER_SHORT_NAME>]: dDirectory[mem-<ROUTER_SHORT_NAME>]: <ROUTER_SHORT_NAME>Options[mem-<ROUTER_SHORT_NAME>]: gauge, integer, growright, unknaszero, nobannerColours[mem-<ROUTER_SHORT_NAME>]: RED#ff0000,BLUE#1000ff,GREEN#006600,VIOLET#ff00ffYLegend[mem-<ROUTER_SHORT_NAME>]: BytesShortLegend[mem-<ROUTER_SHORT_NAME>]: byteLegend1[mem-<ROUTER_SHORT_NAME>]: Bytes from the memory pool that are usedLegend2[mem-<ROUTER_SHORT_NAME>]: Bytes from the memory pool that are unusedLegendI[mem-<ROUTER_SHORT_NAME>]: usedBytes:LegendO[mem-<ROUTER_SHORT_NAME>]: freeBytes:

Target[memfree-<ROUTER_SHORT_NAME>]: 1.3.6.1.4.1.9.9.48.1.1.1.6.0&1.3.6.1.4.1.9.9.48.1.1.1.7.0:<SNMP_COMMUNITY>@<ROUTER_SHORT_NAME>RouterUptime[memfree-<ROUTER_SHORT_NAME>]: <SNMP_COMMUNITY>@<ROUTER_SHORT_NAME>Supress[memfree-<ROUTER_SHORT_NAME>]: wmyPageTop[memfree-<ROUTER_SHORT_NAME>]: <H1>Free Memory Statistics for Router <ROUTER_SHORT_NAME></H1>

<P>Router has <PHYSICAL_MEMORY> MB of DRAM installed.<PROCESSOR_MEMORY> Byte are used as processor memory.</P>

Title[memfree-<ROUTER_SHORT_NAME>]: Free Memory Statistics for Router <ROUTER_SHORT_NAME>PageFoot[memfree-<ROUTER_SHORT_NAME>]: <P>Data for OIDs is collected in 5 minute intervals.</P>

<P>Do we have fragmented memory?</P>MaxBytes[memfree-<ROUTER_SHORT_NAME>]: <PROCESSOR_MEMORY>Unscaled[memfree-<ROUTER_SHORT_NAME>]: dDirectory[memfree-<ROUTER_SHORT_NAME>]: <ROUTER_SHORT_NAME>Options[memfree-<ROUTER_SHORT_NAME>]: gauge, integer, growright, unknaszero, nobannerColours[memfree-<ROUTER_SHORT_NAME>]: RED#ff0000,BLUE#1000ff,GREEN#006600,VIOLET#ff00ffYLegend[memfree-<ROUTER_SHORT_NAME>]: BytesShortLegend[memfree-<ROUTER_SHORT_NAME>]: byteLegend1[memfree-<ROUTER_SHORT_NAME>]: Bytes from the memory pool that are unusedLegend2[memfree-<ROUTER_SHORT_NAME>]: Largest block (contigious bytes) of free memoryLegendI[memfree-<ROUTER_SHORT_NAME>]: freeBytes:LegendO[memfree-<ROUTER_SHORT_NAME>]: largestBlock:


Configuration Log Expect

107

A.6 Expect

rtr3

#!/usr/pkg/bin/expect --## $Id: rtr3,v 1.3 2002/09/30 18:21:50 markus Exp $## Connect to a Cisco/Zebra/Unix box and execute one or multiple commands# Cisco: A box prompting "Username:" is considered a Cisco router.# Logon uses username/password/enable_password# Zebra: A box prompting "Password:" is considered a Zebra router# or a Cisco router without username.# Logon uses password/enable_password# Unix: A box prompting "login:" is considered a Unix machine.# Login uses username/password/root_password## Syntax: rtr3 <router> [<cli_command> [: <cli_command>]]## Implicit: username/password tupel for any router is defined in this script# empty command string connects to the router interactively## Caveats: (1) Passing command flags to Unix boxes does not work.# (2) Script does not work with pre-authenticated access such as Kerberos.# (3) Script requires prompts containing the character > in# unpriviledged mode and prompts containing the character # in# priviledged mode.

# Set default valuesset cisco_username adminset cisco_password geheimset cisco_enable_password strenggeheimset unix_username adminset unix_password geheimset unix_root_password strenggeheimset zebra_password geheimset zebra_enable_password strenggeheim

# Redefine defaults with user specific valuesif [file exists ~/.rtr3] {

source ~/.rtr3} else {

puts "ERROR: ~/.rtr3 does not exist"puts "Default username and passwords are most likely not suitable for your network."puts ""puts "~/.rtr3 format:"puts "set cisco_username <username>"puts "set cisco_password <password>"puts "set cisco_enable_password <password>"



108

puts "set unix_username <username>"puts "set unix_password <password>"puts "set unix_root_password <password>"puts "set zebra_password <password>"puts "set zebra_enable_password <password>"exit 1

}

## Procedure execute_command#proc execute_command {command_string remote_box} {

if {$command_string == "INTERACTIVE"} {interactexit 0

} else {# Give a command up to 5 min. to completeset timeout 300

switch -- $remote_box {"CISCO" {

send "term leng 0\r"expect "#" {} default { puts "Error. Giving up."; exit 1 }

}"ZEBRA" {

send "term leng 0\r"expect "#" {} default { puts "Error. Giving up."; exit 1 }

}default {}

}

foreach element $command_string {if {$element == ":"} {

send \rexpect "#" {} default { puts "Error. Giving up."; exit 1 }

} else {send "$element "

} ;# closes if} ;# closes foreachsend \r;expect "#" {} default { puts "Error. Giving up."; exit 1 }

exit 0}}## End of procedure execute_command#



109

## Procedure logon_cisco## Telnet returned a "Username:" prompt => assuming remote box is Ciscoproc logon_cisco {username password enable_password command remote_box} {

send "$username\r"expect "Password:" {} default { puts "Error. Giving up."; exit 1 }send "$password\r"expect {

">" {}"% Authentication failed." { exit 1 }default { puts "Error. Giving up."; exit 1 }}

send "enable\r"expect "Password:" {} default { puts "Error. Giving up."; exit 1 }send "$enable_password\r"expect {

"#" {execute_command $command $remote_box; return}"Access denied" {exit 1}default { puts "Error. Giving up."; exit 1 }}

}## End of procedure logon_cisco#

## Procedure logon_zebra## Telnet returned a "Password:" prompt => assuming remote box is Zebraproc logon_zebra {password enable_password command remote_box} {

send "$password\r"expect {

">" {}"Authentication failed" { exit 1 }default { puts "Error. Giving up."; exit 1 }}

send "enable\r"expect "Password:" {} default { exit 1 }send "$enable_password\r"expect {

"#" {execute_command $command $remote_box; return}"Access denied" {exit 1}default { puts "Error. Giving up."; exit 1 }}

}#



110

# End of procedure logon_zebra#

## Procedure logon_unix## Telnet returned a "login:" prompt => assuming remote box is NetBSDproc logon_unix {username password root_password command remote_box} {

send "$username\r"expect "Password:" {} default { exit 1 }send "$password\r"expect {

">" {}"Login incorrect" { exit 1 }default { puts "Error. Giving up."; exit 1 }}

send "su -\r"expect "Password:" {} default { puts "Error. Giving up."; exit 1 }send "$root_password\r"expect {

"#" {execute_command $command $remote_box; return}"Sorry" {exit 1}default { puts "Error. Giving up."; exit 1 }}

}## End of procedure logon_unix#

########## ########## ########## ########## ########## ########## ############ Main procedure#

# check argumentsif {[llength $argv] == 0} {

puts "Connect to a Cisco/Zebra/Unix box and execute one or multiple commands"puts " "puts "Syntax: rtr3 \<router\> \[\<command string\> \[ : \<command string\>\]\]"puts ""puts "Example:"puts "rtr3 zebrabox:2604 show ip ospf neigh : show ip ospf database"puts "rtr3 ciscobox conf t : int eth 0 : shutdown"puts "rtr3 unixbox ifconfig de0 : ifconfig ep1 : cat /etc/gated.conf"puts ""puts "Implicit:"puts "Username/password/enable_password of targets must be defined in ~/.rtr3"puts "Empty command string connects to the router interactively"



111

puts ""puts "Caveats:"puts "(1) Passing command flags to Unix boxes does not work."puts "(2) Script does not work with pre-authenticated access such as Kerberos."puts "(3) Script requires prompts containing the character > in"puts " unpriviledged mode and prompts containing the character # in"puts " priviledged mode."exit 1

}

# If we reach this point an argument was passed to the script.# Lets see what we have.set i 0set j 0set router ""set command ""set element ""set remote_box "UNKNOWN"

foreach element $argv {incr iif {$i == 1} {

set j [string first ":" $element]if {$j == -1} {# no port number givenset router $element

} else {# port number givenregsub ":" $element " " router

}} else {

set command "$command$element "}

}

if {$command == ""} {set command "INTERACTIVE"

}

# The variables $router and $command store now the router name and command string# $command contains INTERACTIVE if no command string was specified

# Login to the router and switch to enable modeset timeout 10spawn /bin/sh -c "exec telnet $router"

expect {"Username:" { set remote_box "CISCO"

logon_cisco $cisco_username $cisco_password $cisco_enable_password $command $remote_box



112

}"Password:" { set remote_box "ZEBRA"

logon_zebra $zebra_password $zebra_enable_password $command $remote_box}

"login:" { set remote_box "UNIX"logon_unix $unix_username $unix_password $unix_root_password $command $remote_box}

default { puts "Error telnetting to $router. Giving up."exit 1 }

}

exit 0

## End of main procedure########### ########## ########## ########## ########## ########## ##########


113

B Problem and Resolution Log

B.1 2002-09-00 - Installing NetBSD on SGI Indy

B.1.1 Status: SOLVED

B.1.2 Symptom

On a head-less Indy pressing the Escape key does not bring the machine into PROM mode.

B.1.3 Analysis

Von: Rafal Boni <[email protected]>Datum: Die, 10. Sep. 2002 20:43:00 Europe/BerlinAn: Markus Boeing <[email protected]>Betreff: Re: Q: Headless Indy, How to go into PROM monitor

In message <[email protected]>, you write:

-> Hi Rafal,->-> thanks for your reply.->-> Well, the serial console works ok I think (I’m using <Mac modem-> cable>-<null modem>-<straight Cisco console cable>). I can see messages-> during the boot up on the terminal. I just don’t know how to get the PROM-> mode, pressing ESC on the serial console doesn’t help.

First, if your keyboard plugged in? If so, unplug it.... You should thenat least get messages on the serial console about the KB being unavailableand it falling back to serial console...

Second of all, I think you should be able to press any key to interruptthe boot if you hit it in the right period of a couple of seconds. Ifyou *are* getting messages on the console, it might be interesting topaste (or paraphrase) what you see... There are cases (ie, a bad SCSIdisk, etc.) where the PROM can hang for quite a while and not respondto input *before* it offers you a choice of doing anything (esp. ifit’s attempting to do the diagnostics).

(All my SGI’s are in storage right now, or I’d give you better clues 8-)


Problem and Resolution Log 2002-09-00 - Installing NetBSD on SGI Indy

114

--rafal

----Rafal Boni [email protected] are all worms. But I do believe I am a glowworm. -- Winston Churchill

Von: Steve Rikli <[email protected]>Datum: Die, 10. Sep. 2002 21:08:17 Europe/BerlinAn: [email protected] (Markus Boeing)Betreff: Re: Q: Headless Indy, How to go into PROM monitor

=?ISO-8859-1?Q?Markus_B=F6ing?= wrote:>>may I ask a very basic question regarding SGI Indy operation?>>I recently acquired an Indy w/o monitor that I would like to use with>NetBSD as a lab server. My problem is that I am running the box headless>and I cannot get it into PROM mode. I can see the request to press ESC>during boot up but it seems that I cannot force the box into PROM from the>serial console. Any ideas how to do that? BTW I cannot access the box once>it booted up. It responds neither to serial console nor to telnet. Most>probably the operating system is screwed up badly.

Possibly a serial cable pinout problem? E.g. maybe you have the "TX"and "RX" pins talking to the corresponding "TX" and "RX" rather thanvisa versa? (ie. pins 2 and 3 are flipped the wrong way?)

The way it’s _supposed_ to work (in theory ;-) ) is very much like Sunhardware, if you’re familiar at all with that. That is, unplug thekeyboard, plug in the serial console cable (should be a round "din-8"connector on Indy) and hit <esc> to interrupt the bootup.

After that you should see a prompt which looks like ">>" -- that’s theIRIX PROM.

cheers,sr.--|| Steve Rikli ||| When I was younger, I made it a rule |||| Systems Administrator ||| never to take strong drink before lunch.|||| ||| It is now my rule never to do so before |||| [email protected] ||| breakfast. - Winston Churchill ||

B.1.4 Solution

Replaced console cable. I am using [Indy serial port 1]-[Mac modem cable (DB25)]-[null modem]-[CiscoDB25-to-RJ45 plug (Terminal)]-[Cisco RJ45-to-RJ45 console cable (roll-over cable)]-[DEC VT510].



115

B.1.5 Symptom

Using PROM to boot a kernel from a TFTP server produces ”wrong magic number” error messagesbut does not boot the kernel.

B.1.6 Analysis

Symptom is described in in the NetBSD/sgimips FAQ (http://www.netbsd.org/Ports/sgimips/faq.html):“Another old PROM issue – old PROMs don’t understand ELF, so you may need an ECOFF kernel.”

B.1.7 Solution

Booting an uncompressed ECOFF kernel fixed the problem (booting a gzipped ECOFF kernel producedthe same ”wrong magic number” messages).

B.1.8 Symptom

Using PROM to boot a kernel from a TFTP server starts but then times out with error message ”nosuch device”.

B.1.9 Analysis

Von: Rafal Boni <[email protected]>Datum: Mit, 11. Sep. 2002 21:56:20 Europe/BerlinAn: Markus Boeing <[email protected]>Kopie: [email protected]: Re: Q: Netbooting installation kernel fails on INDY

In message <[email protected]>, you write:

-> Ladies and Gents,->-> I have yet another question regarding NetBSD installation on Indy:->-> I am using the files from the 200209080000 directory on releng.netbsd.org.->-> I have set up a server (NetBSD/alpha with DHCP client entry for the Indy,-> TFTP enabled and boot kernel in /tftpboot/netbsd) with kernel-> netbsd-INDY_INSTALL.ecoff. The Indy root directory holds the contents of-> installation/netboot/diskimage.gz.

Your Indy probably should be fine with the ELF version, but that’s notthe issue here...



116

-> I am booting the Indy from PROM:->-> >>boot -f bootp():/netbsd/netbsd-INDY_INSTALL.ecoff-> Setting $netaddr to 172.16.254.20 (from server 172.16.254.2)-> Obtaining /netbsd/netbsd-INDY_INSTALL.ecoff from server 172.16.254.2-> 5876528-> Cannot load bootp():/netbsd/netbsd-INDY_INSTALL.ecoff.-> Error reading text section: cnt=0xc0, expected 0x59ab30.-> Unable to load bootp():/netbsd/netbsd-INDY_INSTALL.ecoff: no such device.->-> The whole process takes a couple of minutes.

Please check the FAQ (at http://www.netbsd.org/Ports/sgimips/faq.html), esp.the following link: http://www.netbsd.org/Ports/sgimips/faq.html#prom-tftp-client-failing

The problem is most likely the Indy’s PROM getting confused by the returnedTFTP packets and timing out the transfer.

--rafal

----Rafal Boni [email protected] are all worms. But I do believe I am a glowworm. -- Winston Churchill

B.1.10 Solution

Modifying the TFTP setting on the server (NetBSD/alpha) fixed the problem (sysctl -w net.inet.ip.anonportmin=20000,sysctl -w net.inet.ip.anonportmax=32767).


Problem and Resolution Log 2001-10-06 - GateD: No IP forwarding

117

B.2 2001-10-06 - GateD: No IP forwarding


B.2.2 Symptom

GateD complains about missing support for IP forwarding during startup. This happens under NetBSDv1.5/i386 and NetBSD v1.5.2/Alpha.

B.2.3 Analysis

The GENERIC kernel of NetBSD does no have IP forwarding enabled be default. This could be verifiedusing the command sysctl net.inet.ip.forwarding. In oder to use routing software on a NetBSDmachine IP forwarding must be enabled.

B.2.4 Solution

There are two options to solve the problem:

• Compile a new kernel with IP forwarding enabled by default.

• Add the statement sysctl -w net.inet.ip.forwarding=1 to the file /etc/rc.local.

The second approach has been implemented.


Problem and Resolution Log 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency

118

B.3 2001-10-04 - Zebra OSPFd on NetBSD does not form Adjacency


B.3.2 Symptom

List: zebraSubject: [zebra 10698] Q: OSPF is not establishing adjacencyFrom: Markus Boeing <[email protected]>Date: 2001-10-04 18:49:19[Download message RAW]

Ladies and Gents,

may I ask for your help regarding Zebra and OSPF?

I am setting up a small lab using Cisco routers, GateD and Zebra. So far Iwas unable to get Zebra’s OSPF up.

I am using Zebra v0.91a on NetBSD 1.5/i386 (installed from packagedistribution) but I could observe the same behavior with Zebra v0.92acompiled from source.

The lab topology is pretty simple, two Cisco routers and the Zebra boxshare a LAN (IPv4: 192.168.16.0/27; .1 and .2 are Cisco boxes; .3 is Zebra).BTW The Zebra box has only one interface but that is ok. I want to useit as BGP route reflector server later on.

What happens now is that the Zebra box receives Hellos from the Cisco’sbut itself is not sending Hellos. Therefor bidirectional communicationcannot be established and an adjacency will not be formed. The Cisco boxesuse their LAN interface for router id (=> They are in a connected network,no routing is involved to get to it.). The configuration of the Ciscoboxes should be fine because they play nicely with each other andGateD/OSPF.

Observation:- Debug on the Cisco boxes does not show Hello packets emitted from theZebra box.

- Debug on the Zebra box shows incoming Hello packets (HelloRecived,1-WayReceived) and "sendto in ospf_write failed with No route to host".

Theory:- I misconfigured Zebra.



119

Here is my ospfd.conf+---hostname Gamma(ospfd)password 1q2w3e4renable password 1q2w3e4r!interface ne2

ip ospf network broadcast!router ospf

network 192.168.16.3/27 area 0 ! mask should match "ifconfig netmask"ospf router-id 192.168.16.3ospf abr-type cisco ! probably uselessarea 0 range 192.168.16.0/24

!log file /var/log/zebra/ospfd.log+---

+---root@gamma# ifconfig ne2ne2: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500

media: Ethernet autoselect (10baseT)inet 192.168.16.3 netmask 0xffffffe0 broadcast 192.168.16.31inet6 fe80::2e0:7dff:fe95:9450%ne2 prefixlen 64 scopeid 0x1

root@gamma#+---

Here is some output from debug on Zebra:+---2001/10/04 19:33:10 OSPF: NSM[ne2:192.168.16.2]: Init (HelloReceived)2001/10/04 19:33:10 OSPF: NSM[ne2:192.168.16.2]: nsm_ignore called2001/10/04 19:33:10 OSPF: NSM[ne2:192.168.16.2]: Init (1-WayReceived)2001/10/04 19:33:17 OSPF: make_hello: options: 2, int: ne22001/10/04 19:33:17 OSPF: *** sendto in ospf_write failed with No route tohost2001/10/04 19:33:20 OSPF: Packet 192.168.16.2 [Hello:RECV]: Options*|*|-|-|-|-|E|*2001/10/04 19:33:20 OSPF: NSM[ne2:192.168.16.2]: Init (HelloReceived)2001/10/04 19:33:20 OSPF: NSM[ne2:192.168.16.2]: nsm_ignore called2001/10/04 19:33:20 OSPF: NSM[ne2:192.168.16.2]: Init (1-WayReceived)2001/10/04 19:33:27 OSPF: make_hello: options: 2, int: ne22001/10/04 19:33:27 OSPF: *** sendto in ospf_write failed with No route tohost2001/10/04 19:33:30 OSPF: Packet 192.168.16.2 [Hello:RECV]: Options*|*|-|-|-|-|E|*+---

Help and comments are greatly appreciated.



120

TIA

/Markus.

+---Markus A. Boeingmailto://[email protected]://www.boeing-online.de+---"Fr den Mann, der nicht wei, wohin es ihn treibt, gibt es keinengnstigen Wind." Seneca

B.3.3 Analysis

List: zebraSubject: [zebra 10712] RE: Q: OSPF is not establishing adjacencyFrom: "Frank Dauer" <[email protected]>Date: 2001-10-05 8:20:27[Download message RAW]

Hello,

> - Debug on the Zebra box shows incoming Hello packets (HelloRecived,> 1-WayReceived) and "sendto in ospf_write failed with No> route to host".

The ospfd does not know where to send his (multicast) packets to.

A friend of mine has had a similar problem with FreeBSD. Try addinga loopback route for 224. (i.e., route add 224 127.0.0.1).

Bye,

Frank

List: zebraSubject: [zebra 10719] Re: Q: OSPF is not establishing adjacencyFrom: Jasper Wallace <[email protected]>Date: 2001-10-05 11:07:02[Download message RAW]

On Thu, 4 Oct 2001, Markus Bing wrote:

> Ladies and Gents,>> may I ask for your help regarding Zebra and OSPF?>> I am setting up a small lab using Cisco routers, GateD and Zebra. So far I> was unable to get Zebra’s OSPF up.



121

>> I am using Zebra v0.91a on NetBSD 1.5/i386 (installed from package> distribution) but I could observe the same behavior with Zebra v0.92a> compiled from source.

0.92a is in the latest version of pkgsrc.

> Observation:> - Debug on the Cisco boxes does not show Hello packets emitted from the> Zebra box.> - Debug on the Zebra box shows incoming Hello packets (HelloRecived,> 1-WayReceived) and "sendto in ospf_write failed with No route to host".

zebra dosn’t quite understand the way multicats works on the BSD’s - youneed to add something like:

!ip route 224.0.0.5/32 127.0.0.1ip route 224.0.0.6/32 127.0.0.1ip route 224.0.0.9/32 127.0.0.1!

near the end of zebra.conf. (ok, so the last one is for RIP, but it dosn’thurt).

> Theory:> - I misconfigured Zebra.

--Internet Vision Internet Consultancy Tel: 020 7589 450060 Albert Court & Web development Fax: 020 7589 4522Prince Consort Road [email protected] SW7 2BE http://www.ivision.co.uk/

List: zebraSubject: [zebra 10726] Re: Q: OSPF is not establishing adjacencyFrom: [email protected]: 2001-10-05 16:28:34[Download message RAW]

On 4 Oct 2001 at 20:49, Markus Bing wrote:

> Observation:> - Debug on the Cisco boxes does not show Hello packets emitted from> the Zebra box. - Debug on the Zebra box shows incoming Hello packets> (HelloRecived, 1-WayReceived) and "sendto in ospf_write failed with> No route to host".

This is a bug in Zebra and/or BSD. The kernel in BSD tries to do a routelookup on the multicast destination 224.0.0.5 (AllSPFROuters), which



122

fails if there is no default-route or other route to a prefix coveringthat address.

I believe old gated installs the needed dummy route in order to avoidthis problem, which Zebra also should do IMHO.

I recently saw a suggested modification to FreeBSD kernel - if theoutput interface is indicated and the packet type is multicast in thecall to ip_output() then just send the packet and ignore the routingtable - in order to avoid this and similar multicast-related problemswhen the system lacks a default route.

I don’t know it if has been implemented for future FreeBSD kernels, buteven if it has it will take some time I guess before all flavors of BSDsupports it and has been upgraded out there. Which means that we areback to a Zebra modification. So far I dont know if any of the Zebrapeople has responded to this issue and if it is a planned modification?--Fredrik NymanPacketFront Sweden ABhttp://www.packetfront.com/

List: zebraSubject: [zebra 10733] Re: Q: OSPF is not establishing adjacencyFrom: "Daniel C. Sobral" <[email protected]>Date: 2001-10-05 19:45:21[Download message RAW]

[email protected] wrote:

>> This is a bug in Zebra and/or BSD. The kernel in BSD tries to do a route> lookup on the multicast destination 224.0.0.5 (AllSPFROuters), which> fails if there is no default-route or other route to a prefix covering> that address.

According to the Multicast RFC, the bug is in the BSD kernel. Alas, afaikall ip stacks out there had this problem at some point. It was just BSDtaking longer to fix this.

Alas, the patch was in for FreeBSD-current for quite a while, and I havejust committed it on FreeBSD-stable (I was waiting 4.4 to come out, as Ididn’t want to commit something like this close to code freeze date).

--Daniel C. Sobral (8-DCS)[email protected]@[email protected]@notorious.bsdconspiracy.net



123

TRUTHFUL:Dumb and illiterate.

B.3.4 Solution

Added static routes for the multicast addresses 224.0.0.5 (AllSPFRouters) and 224.0.0.6 (AllDRouters)to zebra.conf.


Problem and Resolution Log 2001-03-17 - RADIUS on DEC Alpha running NetBSD

124

B.4 2001-03-17 - RADIUS on DEC Alpha running NetBSD

B.4.1 Status: OPEN

B.4.2 Symptom

During the course of this endeavor I acquired a new machine (Tigerente). Tigerente is a DECAlphaStation 200 running the NetBSD 1.5/alpha operating system. My intent was/is to use thismachine to provide all network-centric servcies such as DNS, NTP, FTP, HTTP and others. As oftoday10 Tigerente is the primary provider of DNS, NTP, FTP, TFTP and HTTP services.

My attempt to provide AAA services through node Tigerente has not yet been successful. I installedCistron RADIUS v1.6.4 (build from source) but could not get it working. I de-installed Cistron andinstalled Merit AAA v3.6B (NetBSD 1.5-alpha package) instead but could not get it working either.I installed TACACS (NetBSD 1.5-alpha package) but to my surprise it would work as well as the twoRADIUSes. In every case authentication failed with messages complaining about mismatching keys.

I am pretty confident that the configurations (and the keys) are correct. I have not even a vague ideaabout the cause of this. Further research is required. :) For the moment node Fruchtzwerg (iMacrunning MacOS X) is providing RADIUS services.

B.4.3 Analysis

Merit AAA: output from ”debug radius” on the router and the ”-x” output from radiusd

This is a login attemt to the router using an account/password tuple in /etc/passwd:

Beta#deb radiusRadius protocol debugging is onBeta#term moniBeta#! This is using account markus, should be using /etc/passwdJun 24 14:12:37.007: RADIUS: ustruct sharecount=1Jun 24 14:12:37.011: Radius: radius_port_info() success=1 radius_nas_port=1Jun 24 14:12:37.019: RADIUS: Initial Transmit tty3 id 3 192.168.16.201:1812, Access-Request, len 80Jun 24 14:12:37.019: Attribute 4 6 C0A82002Jun 24 14:12:37.023: Attribute 5 6 00000003Jun 24 14:12:37.023: Attribute 61 6 00000005Jun 24 14:12:37.027: Attribute 1 8 6D61726BJun 24 14:12:37.027: Attribute 31 16 3139322EJun 24 14:12:37.031: Attribute 2 18 7932B486Jun 24 14:12:37.071: RADIUS: Received from id 3 192.168.16.201:1812, Access-Reject, len 135Jun 24 14:12:37.075: Attribute 4 6 C0A82002Jun 24 14:12:37.075: Attribute 5 6 00000003

17-March-200110



125

Jun 24 14:12:37.079: Attribute 61 6 00000005Jun 24 14:12:37.079: Attribute 1 8 6D61726BJun 24 14:12:37.083: Attribute 31 16 3139322EJun 24 14:12:37.083: Attribute 2 18 7932B486Jun 24 14:12:37.087: Attribute 222 8 6D61726BJun 24 14:12:37.087: Attribute 32 16 62657461Jun 24 14:12:37.091: Attribute 11 7 756E6C69Jun 24 14:12:37.091: Attribute 18 24 41757468Jun 24 14:12:37.095: RADIUS: Response (3) failed decryptJun 24 14:12:37.099: RADIUS: Reply for 3 fails decrypt

And this is what radius.debug thinks about it:

Program = radiusdNAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "markus" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "y2\0xb4\0x86\n~xS\0xc5h\0x1f;\0xd3\0x8f\0xdd\0xdd" [flags = 0x00004500]

get_radrequest: Request from c0a82002 (beta.brest.lab[1645]) access, id = 3, len = 80unix_pass: ID = ’markus’unix_pass: encrypted passwords do not match

NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "markus" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "y2\0xb4\0x86\n~xS\0xc5h\0x1f;\0xd3\0x8f\0xdd\0xdd" [flags = 0x00004500]User-Id = "markus" [flags = 0x00000400]NAS-Identifier = "beta.brest.lab" [flags = 0x00004500]Filter-Id = "unlim" [flags = 0x00004400]Reply-Message = "Authentication failure" [flags = 0x00004000]

send_reply: Authentication: 3/0 ’markus’ from beta.brest.lab port 3

This is a login attempt to the router using an account/password tuple in ”users”:

Beta#Beta#! This is using account labdog - should be using password from the file usersBeta#Jun 24 14:19:30.744: RADIUS: ustruct sharecount=1Jun 24 14:19:30.744: Radius: radius_port_info() success=1 radius_nas_port=1Jun 24 14:19:30.752: RADIUS: Initial Transmit tty3 id 4 192.168.16.201:1812, Access-Request, len 80Jun 24 14:19:30.756: Attribute 4 6 C0A82002Jun 24 14:19:30.756: Attribute 5 6 00000003Jun 24 14:19:30.760: Attribute 61 6 00000005Jun 24 14:19:30.760: Attribute 1 8 6C616264Jun 24 14:19:30.764: Attribute 31 16 3139322EJun 24 14:19:30.764: Attribute 2 18 520EB2B4Jun 24 14:19:30.777: RADIUS: Received from id 4 192.168.16.201:1812, Access-Reject, len 135



126

Jun 24 14:19:30.781: Attribute 4 6 C0A82002Jun 24 14:19:30.781: Attribute 5 6 00000003Jun 24 14:19:30.785: Attribute 61 6 00000005Jun 24 14:19:30.785: Attribute 1 8 6C616264Jun 24 14:19:30.789: Attribute 31 16 3139322EJun 24 14:19:30.789: Attribute 2 18 520EB2B4Jun 24 14:19:30.793: Attribute 222 8 6C616264Jun 24 14:19:30.793: Attribute 32 16 62657461Jun 24 14:19:30.797: Attribute 11 7 756E6C69Jun 24 14:19:30.797: Attribute 18 24 41757468Jun 24 14:19:30.801: RADIUS: Response (4) failed decryptJun 24 14:19:30.805: RADIUS: Reply for 4 fails decrypt

And here is radius.debug again:

NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "labdog" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "R\0x0e\0xb2\0xb4\0x82\0xd42&\0x0b-\0x1a\0x9c\0xb6\0x01R\0xc7" [flags = 0x00004500]

get_radrequest: Request from c0a82002 (beta.brest.lab[1645]) access, id = 4, len = 80NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]NAS-Port = 3 [flags = 0x00004500]NAS-Port-Type = Virtual [flags = 0x00004500]User-Name = "labdog" [flags = 0x00004500]Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]User-Password = "R\0x0e\0xb2\0xb4\0x82\0xd42&\0x0b-\0x1a\0x9c\0xb6\0x01R\0xc7" [flags = 0x00004500]User-Id = "labdog" [flags = 0x00000400]NAS-Identifier = "beta.brest.lab" [flags = 0x00004500]Filter-Id = "unlim" [flags = 0x00004400]Reply-Message = "Authentication failure" [flags = 0x00004000]

send_reply: Authentication: 4/1 ’labdog’ from beta.brest.lab port 3

B.4.4 Solution

None.


127

C Activity Log

C.1 How to add IPv6 to the Lab Network

We assume that the static lab is configured correctly for IPv4 already. The following steps will thenimplement the IPv6 architecture described above.

C.1.1 Configure Route Reflectors

In the first step we configure Anchor and Dinghy as BGP route reflectors.

Enable IPv6 on Anchor and Dinghy

Add the following lines to /etc/rc.conf to enable IPv6 on Anchor (NetBSD/alpha 1.6) and Dinghy(NetBSD/sgimips 1.6).

Anchor

# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or routerip6sitelocal=YES # IPv6 sitelocal addrsrtadvd=YES rtadvd_flags="tlp0"rtsol=NO rtsol_flags="-a" # for ip6mode=autohost only

Dinghy

# IPv6 routing# IPv6 forwarding is enabled in /etc/rc.local# -> sysctl -w net.inet6.ip6.forwarding=1# Routing daemons are started via daemontools# -> /service/zebra# -> /service/bgpdip6mode=router # host, autohost or routerip6sitelocal=YES # IPv6 sitelocal addrsrtadvd=YES rtadvd_flags="sq0"rtsol=NO rtsol_flags="-a" # for ip6mode=autohost only

Add the following lines to /etc/rc.local to enable IPv6 forwarding on Anchor and Dinghy.

Anchor


Activity Log How to add IPv6 to the Lab Network

128

# Enable IPv6 forwardingsysctl -w net.inet6.ip6.forwarding=1

Dinghy

# Enable IPv6 forwardingsysctl -w net.inet6.ip6.forwarding=1

Configure IPv6 Addresses on Ethernet and Loopback Interfaces

Edit the file /etc/ifconfig.<interface> to configure an interface permanently on NetBSD.

Anchor

[email protected]# cat /etc/ifconfig.lo0inet6 fefe::a prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.tlp0up172.16.254.2 netmask 0xffffff00 media 10baseTinet6 fefe:a::1 prefixlen 64 [email protected]#

Dinghy

[email protected]# cat /etc/ifconfig.lo0inet6 fefe::d prefixlen 128 [email protected]#[email protected]# cat /etc/ifconfig.sq0up172.16.255.2 netmask 0xffffff00inet6 fefe:d::1 prefixlen 64 [email protected]#

Create Tunnel between Anchor and Dinghy

Create the following files to configure the tunnel between Anchor and Dinghy.

Anchor

[email protected]# cat ifconfig.gif0createtunnel 172.16.254.2 172.16.255.2inet6 fefe:bb::1 prefixlen 126 [email protected]#

Dinghy

[email protected]# cat /etc/ifconfig.gif0createtunnel 172.16.255.2 172.16.254.2inet6 fefe:bb::2 prefixlen 126 [email protected]#



129

Reboot the machines and check the tunnel.

Anchor

[email protected]# ifconfig gif0gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280

tunnel inet 172.16.254.2 --> 172.16.255.2inet6 fe80::200:f8ff:fe20:5a6e%gif0 -> :: prefixlen 64 scopeid 0xc

[email protected]#[email protected]# ping6 -c 5 ff02::1%gif0PING6(64=40+8+16 bytes) fe80::200:f8ff:fe20:5a6e%gif0 --> ff02::1%gif024 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=0 hlim=64 time=1.234 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=0 hlim=64 time=9.155 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=1 hlim=64 time=0.782 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=1 hlim=64 time=8.779 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=2 hlim=64 time=1.212 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=2 hlim=64 time=9.161 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=3 hlim=64 time=0.726 ms24 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=3 hlim=64 time=8.785 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=4 hlim=64 time=0.726 ms

--- ff02::1%gif0 ping6 statistics ---5 packets transmitted, 5 packets received, +4 duplicates, 0% packet lossround-trip min/avg/max/std-dev = 0.726/4.507/9.161/3.998 [email protected]#

Dinghy

[email protected]# ifconfig gif0gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280

tunnel inet 172.16.255.2 --> 172.16.254.2inet6 fe80::a00:69ff:fe06:d6ce%gif0 -> :: prefixlen 64 scopeid 0x9

[email protected]#[email protected]# ping6 -c5 ff02::1%gif0PING6(56=40+8+8 bytes) fe80::a00:69ff:fe06:d6ce%gif0 --> ff02::1%gif016 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=0 hlim=64 time=1.16 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=0 hlim=64 time=10.059 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=1 hlim=64 time=0.91 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=1 hlim=64 time=8.667 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=2 hlim=64 time=0.921 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=2 hlim=64 time=8.335 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=3 hlim=64 time=0.926 ms16 bytes from fe80::200:f8ff:fe20:5a6e%gif0, icmp_seq=3 hlim=64 time=8.489 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif0, icmp_seq=4 hlim=64 time=0.92 ms




130

See the DUPs? Thats good news because it shows us that the other end of the tunnel is responding aswell. Which implies that the tunnel is up and running. Please note that we do not have IPv6 addressesexplicitly configured on the tunnel. We are using ‘link local addresses’.

Configure iBGP between Anchor and Dinghy

We use loopback addresses for BGP peering purposes. In order to make these addresses reachable tothe remote node we must add static routes to /etc/zebra.conf.

Anchor

[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::d/128 [email protected]#[email protected]# ping6 -c5 fefe::dPING6(64=40+8+16 bytes) fefe::a --> fefe::d24 bytes from fefe::d, icmp_seq=0 hlim=64 time=9.053 ms24 bytes from fefe::d, icmp_seq=1 hlim=64 time=8.439 ms24 bytes from fefe::d, icmp_seq=2 hlim=64 time=8.495 ms24 bytes from fefe::d, icmp_seq=3 hlim=64 time=14.207 ms24 bytes from fefe::d, icmp_seq=4 hlim=64 time=8.51 ms

--- fefe::d ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.439/9.741/14.207/2.244 [email protected]#

Dinghy

[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::a/128 [email protected]#[email protected]# ping6 -c 5 fefe::aPING6(56=40+8+8 bytes) fefe::d --> fefe::a16 bytes from fefe::a, icmp_seq=0 hlim=64 time=9.642 ms16 bytes from fefe::a, icmp_seq=1 hlim=64 time=8.435 ms16 bytes from fefe::a, icmp_seq=2 hlim=64 time=8.281 ms16 bytes from fefe::a, icmp_seq=3 hlim=64 time=8.319 ms16 bytes from fefe::a, icmp_seq=4 hlim=64 time=8.285 ms

--- fefe::a ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.281/8.592/9.642/0.528 [email protected]#

Now that the next-hop interface is reachable we can start to configure BGP. Did I already say thatzebra was compiled with --enable_multipath=4 on both boxes?

Anchor



131

[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/09 16:31:43!hostname Anchor(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::d peer-group MESHexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::a!line [email protected]#

Dinghy

[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/10 11:41:53!hostname Dinghy(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectors



132

neighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group MESHexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::d!line [email protected]#

Lets see if the configuration works properly.

Anchor

[email protected]# rtr3 anchor:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet anchor 2605Trying 172.16.254.2...Connected to anchor.brest.lab.Escape character is ’^]’.

Hello, this is zebra (version 0.93b).Copyright 1996-2002 Kunihiro Ishiguro.

User Access Verification

Password:Anchor(bgpd)> enablePassword:Anchor(bgpd)# term leng 0Anchor(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::d valid [IGP metric 0]BGP connected route:172.16.254.0/24fefe:a::/64Anchor(bgpd)# show ip bgp neigBGP neighbor is fefe::d, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.255.2BGP state = Established, up for 00:05:17



133

Last read 00:00:17, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received

Received 9 messages, 0 notifications, 0 in queueSent 10 messages, 0 notifications, 0 in queueRoute refresh request: received 0, sent 0Minimum time between advertisement runs is 5 secondsUpdate source is lo0

For address family: IPv6 UnicastMESH peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes

Connections established 1; dropped 0Local host: fefe::a, Local port: 49157Foreign host: fefe::d, Foreign port: 179Nexthop: 172.16.254.2Nexthop global: fefe::aNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off

Anchor(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.254.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> fefe::a/128 :: 0 32768 ?*>ifefe::d/128 fefe::d 0 100 0 ?*> fefe:a::/64 :: 0 32768 ?*>ifefe:d::/64 fefe::d 0 100 0 ?

Total number of prefixes 4Anchor(bgpd)#[email protected]#[email protected]# ping6 -c5 fefe:d::1PING6(64=40+8+16 bytes) fefe:a::1 --> fefe:d::124 bytes from fefe:d::1, icmp_seq=0 hlim=64 time=8.975 ms24 bytes from fefe:d::1, icmp_seq=1 hlim=64 time=8.586 ms24 bytes from fefe:d::1, icmp_seq=2 hlim=64 time=8.338 ms24 bytes from fefe:d::1, icmp_seq=3 hlim=64 time=8.322 ms24 bytes from fefe:d::1, icmp_seq=4 hlim=64 time=8.705 ms



134

--- fefe:d::1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.322/8.585/8.975/0.244 [email protected]#

Looks good to me.

Dinghy

[email protected]# rtr3 dinghy:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet dinghy 2605Trying 172.16.255.2...Connected to dinghy.brest.lab.Escape character is ’^]’.



Password:Dinghy(bgpd)> enablePassword:Dinghy(bgpd)# term leng 0Dinghy(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::a valid [IGP metric 0]BGP connected route:172.16.255.0/24fefe:d::/64Dinghy(bgpd)# show ip bgp neigBGP neighbor is fefe::a, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.254.2BGP state = Established, up for 00:07:38Last read 00:00:38, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received


For address family: IPv6 UnicastMESH peer-group memberNEXT_HOP is always this router



135

Community attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes

Connections established 2; dropped 1Local host: fefe::d, Local port: 179Foreign host: fefe::a, Foreign port: 49157Nexthop: 172.16.255.2Nexthop global: fefe::dNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off

Dinghy(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.255.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*>ifefe::a/128 fefe::a 0 100 0 ?*> fefe::d/128 :: 0 32768 ?*>ifefe:a::/64 fefe::a 0 100 0 ?*> fefe:d::/64 :: 0 32768 ?

Total number of prefixes 4Dinghy(bgpd)#[email protected]#[email protected]# ping6 -c5 fefe:a::1PING6(56=40+8+8 bytes) fefe:d::1 --> fefe:a::116 bytes from fefe:a::1, icmp_seq=0 hlim=64 time=9.523 ms16 bytes from fefe:a::1, icmp_seq=1 hlim=64 time=15.738 ms16 bytes from fefe:a::1, icmp_seq=2 hlim=64 time=8.398 ms16 bytes from fefe:a::1, icmp_seq=3 hlim=64 time=15.604 ms16 bytes from fefe:a::1, icmp_seq=4 hlim=64 time=8.226 ms

--- fefe:a::1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.226/11.498/15.738/3.437 [email protected]#

Looks like we have got BGP working between Anchor and Dinghy. The next step would be adding edgerouter.



136

C.1.2 Configure Cisco Edge Router

As a second step we will add an IPv6 edge router to our hub routers.

Enable IPv6 on Edge Router

Edge1

Edge1(config)#ipv6 unicast-routingEdge1(config)#Edge1(config)#interface loopback 0Edge1(config-if)#ipv6 address fefe::e1/128Edge1(config-if)#exitEdge1(config)#Edge1(config)#interface ethernet 0Edge1(config-if)#ipv6 address fefe:e1::1/64Edge1(config-if)#exit

Configure Tunnels

Edit the file /etc/ifconfig.gif1 to configure the tunnel interfaces permanently on Anchor andDinghy. Use the command ifconfig gif1 to configure the tunnel interfaces on the fly.

Anchor

[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.254.2 172.16.0.11inet6 [email protected]#

Dinghy

[email protected]# cat /etc/ifconfig.gif1createtunnel 172.16.255.2 172.16.0.11inet6 [email protected]#

Edge1

Edge1(config)#interface tunnel 0Edge1(config-if)#description IPv6 tunnel to router AnchorEdge1(config-if)#ipv6 enableEdge1(config-if)#tunnel source loopback 0Edge1(config-if)#tunnel destination 172.16.254.2Edge1(config-if)#tunnel mode ipv6ipEdge1(config-if)#exitEdge1(config)#Edge1(config)#interface tunnel 1



137

Edge1(config-if)#description IPv6 tunnel to router DinghyEdge1(config-if)#ipv6 enableEdge1(config-if)#tunnel source loopback 0Edge1(config-if)#tunnel destination 172.16.255.2Edge1(config-if)#tunnel mode ipv6ipEdge1(config-if)#exit

Issue a wr mem command to save the configuration to the routers NVRAM.

Check if the tunnels are working.

Anchor

[email protected]# ping6 -c5 ff02::1%gif1PING6(64=40+8+16 bytes) fe80::200:f8ff:fe20:5a6e%gif1 --> ff02::1%gif124 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=0 hlim=64 time=1.3 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=0 hlim=64 time=7.116 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=1 hlim=64 time=0.688 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=1 hlim=64 time=6.541 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=2 hlim=64 time=0.718 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=2 hlim=64 time=6.741 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=3 hlim=64 time=0.648 ms24 bytes from fe80::ac10:b%gif1, icmp_seq=3 hlim=64 time=6.641 ms(DUP!)24 bytes from fe80::200:f8ff:fe20:5a6e%gif1, icmp_seq=4 hlim=64 time=0.687 ms


Dinghy

[email protected]# ping6 -c5 ff02::1%gif1PING6(56=40+8+8 bytes) fe80::a00:69ff:fe06:d6ce%gif1 --> ff02::1%gif116 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=0 hlim=64 time=1.182 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=0 hlim=64 time=11.309 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=1 hlim=64 time=0.898 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=1 hlim=64 time=7.95 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=2 hlim=64 time=0.883 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=2 hlim=64 time=7.638 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=3 hlim=64 time=0.926 ms16 bytes from fe80::ac10:b%gif1, icmp_seq=3 hlim=64 time=7.866 ms(DUP!)16 bytes from fe80::a00:69ff:fe06:d6ce%gif1, icmp_seq=4 hlim=64 time=0.895 ms


The DUPs indicate that a tunnel far end is responding and the tunnel is operational.

Edge1



138

Edge1#show ipv6 int tun 0Tunnel0 is up, line protocol is upIPv6 is enabled, link-local address is FE80::AC10:BDescription: IPv6 tunnel to router AnchorNo global unicast address is configuredJoined group address(es):FF02::1FF02::2FF02::1:FF10:B

MTU is 1480 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsHosts use stateless autoconfig for addresses.

Edge1#Edge1#show ipv6 int tun 1Tunnel1 is up, line protocol is upIPv6 is enabled, link-local address is FE80::AC10:BDescription: IPv6 tunnel to router DinghyNo global unicast address is configuredJoined group address(es):FF02::1FF02::2FF02::1:FF10:B

MTU is 1480 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsHosts use stateless autoconfig for addresses.

Edge1#

Configure BGP on Route Reflectors

Add static routes the loopback interface of router Edge1.

Anchor

[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::d/128 gif0ipv6 route fefe::e1/128 [email protected]#

Dinghy

[email protected]# cat /etc/zebra.conf | grep "ipv6 route"ipv6 route fefe::a/128 gif0ipv6 route fefe::e1/128 [email protected]#



139

Configure BGP, we add another peer group for route reflector clients.

Anchor

[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/09 23:42:47!hostname Anchor(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor CLIENTS peer-groupneighbor CLIENTS remote-as 65000neighbor CLIENTS description Route reflector clientsneighbor CLIENTS update-source lo0no neighbor CLIENTS activateneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor CLIENTS activateneighbor CLIENTS route-reflector-clientneighbor CLIENTS next-hop-selfneighbor CLIENTS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::d peer-group MESHneighbor fefe::e1 peer-group CLIENTSexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::a!line [email protected]#

Dinghy



140

[email protected]# cat /etc/bgpd.conf!! Zebra configuration saved from vty! 2002/10/10 18:51:24!hostname Dinghy(bgpd)password 1q2w3e4renable password q1w2e3r4log file /var/log/zebra/bgpd.log!router bgp 65000bgp deterministic-medneighbor CLIENTS peer-groupneighbor CLIENTS remote-as 65000neighbor CLIENTS description Route reflector clientsneighbor CLIENTS update-source lo0no neighbor CLIENTS activateneighbor MESH peer-groupneighbor MESH remote-as 65000neighbor MESH description Fellow route reflectorsneighbor MESH update-source lo0no neighbor MESH activate!address-family ipv6redistribute connectedneighbor CLIENTS activateneighbor CLIENTS route-reflector-clientneighbor CLIENTS next-hop-selfneighbor CLIENTS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor MESH activateneighbor MESH next-hop-selfneighbor MESH route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group MESHneighbor fefe::e1 peer-group CLIENTSexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10set ipv6 next-hop global fefe::d!line [email protected]#

Configure BGP on Cisco Edge Router

Edge1

router bgp 65000no synchronizationbgp log-neighbor-changes



141

bgp deterministic-medneighbor ROUTE-REFLECTORS peer-groupneighbor ROUTE-REFLECTORS remote-as 65000neighbor ROUTE-REFLECTORS description Upstream route reflector serversneighbor ROUTE-REFLECTORS update-source Loopback0no neighbor ROUTE-REFLECTORS activateno auto-summary!address-family ipv6neighbor ROUTE-REFLECTORS activateneighbor ROUTE-REFLECTORS next-hop-selfneighbor ROUTE-REFLECTORS send-communityneighbor ROUTE-REFLECTORS route-map SET_NEXT_HOP_TO_GLOBAL_IP6 outneighbor fefe::a peer-group ROUTE-REFLECTORSneighbor fefe::d peer-group ROUTE-REFLECTORSno synchronizationredistribute connectedexit-address-family!route-map SET_NEXT_HOP_TO_GLOBAL_IP6 permit 10description Set next hop to global IPv6 addr; default is using link local IPv6 addrset ipv6 next-hop fefe::e1!ipv6 route fefe::a/128 Tunnel0ipv6 route fefe::d/128 Tunnel1

Test Static Route and Tunnel

Anchor

[email protected]# ping6 -c5 fefe::e1PING6(64=40+8+16 bytes) fefe::a --> fefe::e124 bytes from fefe::e1, icmp_seq=0 hlim=64 time=12.081 ms24 bytes from fefe::e1, icmp_seq=1 hlim=64 time=11.709 ms24 bytes from fefe::e1, icmp_seq=2 hlim=64 time=12.496 ms24 bytes from fefe::e1, icmp_seq=3 hlim=64 time=11.671 ms24 bytes from fefe::e1, icmp_seq=4 hlim=64 time=12.852 ms

--- fefe::e1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 11.671/12.162/12.852/0.456 [email protected]#

Dinghy

[email protected]# ping6 -c5 fefe::e1PING6(56=40+8+8 bytes) fefe::d --> fefe::e116 bytes from fefe::e1, icmp_seq=0 hlim=64 time=8.727 ms16 bytes from fefe::e1, icmp_seq=1 hlim=64 time=8.33 ms16 bytes from fefe::e1, icmp_seq=2 hlim=64 time=8.438 ms



142

16 bytes from fefe::e1, icmp_seq=3 hlim=64 time=8.398 ms16 bytes from fefe::e1, icmp_seq=4 hlim=64 time=8.379 ms

--- fefe::e1 ping6 statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max/std-dev = 8.330/8.454/8.727/0.141 [email protected]#

Edge1

Edge1#ping fefe::a

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to FEFE::A, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/36 msEdge1#Edge1#ping fefe::d

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to FEFE::D, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 msEdge1#

Check BGP

Anchor

[email protected]# rtr3 anchor:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet anchor 2605Trying 172.16.254.2...Connected to anchor.brest.lab.Escape character is ’^]’.



Password:Anchor(bgpd)> enablePassword:Anchor(bgpd)# term leng 0Anchor(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::d valid [IGP metric 0]fefe::e1 valid [IGP metric 0]



143

BGP connected route:172.16.254.0/24fefe:a::/64Anchor(bgpd)# show ip bgp neigBGP neighbor is fefe::d, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.255.2BGP state = Established, up for 00:09:00Last read 00:01:00, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received



Connections established 1; dropped 0Local host: fefe::a, Local port: 49153Foreign host: fefe::d, Foreign port: 179Nexthop: 172.16.254.2Nexthop global: fefe::aNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off

BGP neighbor is fefe::e1, remote AS 65000, local AS 65000, internal linkMember of peer-group CLIENTS for session parametersBGP version 4, remote router ID 172.16.0.11BGP state = Established, up for 00:09:17Last read 00:00:17, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received




144

For address family: IPv6 UnicastCLIENTS peer-group memberRoute-Reflector ClientNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes

Connections established 1; dropped 0Local host: fefe::a, Local port: 49154Foreign host: fefe::e1, Foreign port: 179Nexthop: 172.16.254.2Nexthop global: fefe::aNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off

Anchor(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.254.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*> fefe::a/128 :: 0 32768 ?*>ifefe::d/128 fefe::d 0 100 0 ?* ifefe::e1/128 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?*> fefe:a::/64 :: 0 32768 ?*>ifefe:d::/64 fefe::d 0 100 0 ?* ifefe:e1::/64 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?

Total number of prefixes 6Anchor(bgpd)#[email protected]#

Dinghy

[email protected]# rtr3 dinghy:2605 show ip bgp scan : show ip bgp neig : show ipv6 bgpspawn /bin/sh -c exec telnet dinghy 2605Trying 172.16.255.2...Connected to dinghy.brest.lab.Escape character is ’^]’.





145

Password:Dinghy(bgpd)> enablePassword:Dinghy(bgpd)# term leng 0Dinghy(bgpd)# show ip bgp scanBGP scan is runningBGP scan interval is 60Current BGP nexthop cache:fefe::a valid [IGP metric 0]fefe::e1 valid [IGP metric 0]BGP connected route:172.16.255.0/24fefe:d::/64Dinghy(bgpd)# show ip bgp neigBGP neighbor is fefe::a, remote AS 65000, local AS 65000, internal linkMember of peer-group MESH for session parametersBGP version 4, remote router ID 172.16.254.2BGP state = Established, up for 00:07:01Last read 00:00:01, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received



Connections established 1; dropped 0Local host: fefe::d, Local port: 179Foreign host: fefe::a, Foreign port: 49153Nexthop: 172.16.255.2Nexthop global: fefe::dNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off

BGP neighbor is fefe::e1, remote AS 65000, local AS 65000, internal linkMember of peer-group CLIENTS for session parametersBGP version 4, remote router ID 172.16.0.11BGP state = Established, up for 00:07:01



146

Last read 00:00:01, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received (old and new)Address family IPv6 Unicast: advertised and received


For address family: IPv6 UnicastCLIENTS peer-group memberRoute-Reflector ClientNEXT_HOP is always this routerCommunity attribute sent to this neighbor (both)Outbound path policy configuredRoute map for outgoing advertisements is *SET_NEXT_HOP_TO_GLOBAL_IP62 accepted prefixes

Connections established 1; dropped 0Local host: fefe::d, Local port: 49154Foreign host: fefe::e1, Foreign port: 179Nexthop: 172.16.255.2Nexthop global: fefe::dNexthop local: ::BGP connection: non shared networkRead thread: on Write thread: off

Dinghy(bgpd)# show ipv6 bgpBGP table version is 0, local router ID is 172.16.255.2Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*>ifefe::a/128 fefe::a 0 100 0 ?*> fefe::d/128 :: 0 32768 ?* ifefe::e1/128 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?*>ifefe:a::/64 fefe::a 0 100 0 ?*> fefe:d::/64 :: 0 32768 ?* ifefe:e1::/64 fefe::e1 100 0 ?*>i fefe::e1 100 0 ?

Total number of prefixes 6Dinghy(bgpd)#[email protected]#

Edge1



147

[email protected]# rtr3 edge1 show ip bgp neig : show bgp ipv6 : show bgp ipv6 summaryspawn /bin/sh -c exec telnet edge1Trying 172.16.0.11...Connected to edge1.brest.lab.Escape character is ’^]’.


Username: Kerberos: No default realm defined for Kerberos!markusPassword:Edge1>enablePassword:Edge1#term leng 0Edge1#show ip bgp neigBGP neighbor is FEFE::A, remote AS 65000, internal linkMember of peer-group ROUTE-REFLECTORS for session parametersBGP version 4, remote router ID 172.16.254.2BGP state = Established, up for 00:13:31Last read 00:00:31, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received(old & new)Address family IPv6 Unicast: advertised and received

Received 65 messages, 0 notifications, 0 in queueSent 58 messages, 0 notifications, 0 in queueDefault minimum time between advertisement runs is 5 seconds

For address family: IPv6 UnicastBGP table version 21, neighbor version 21Index 1, Offset 0, Mask 0x2ROUTE-REFLECTORS peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighborRoute refresh request: received 0, sent 0Outbound path policy configuredRoute map for outgoing advertisements is SET_NEXT_HOP_TO_GLOBAL_IP64 accepted prefixes consume 272 bytesPrefix advertised 4, suppressed 0, withdrawn 0

Connections established 2; dropped 1Last reset 00:13:34, due to Peer closed the session

Connection state is ESTAB, I/O status: 1, unread input bytes: 0Local host: FEFE::E1, Local port: 179Foreign host: FEFE::A, Foreign port: 49154

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x37FE98):Timer Starts Wakeups Next



148

Retrans 18 0 0x0TimeWait 0 0 0x0AckHold 20 5 0x0SendWnd 0 0 0x0KeepAlive 0 0 0x0GiveUp 0 0 0x0PmtuAger 0 0 0x0DeadWait 0 0 0x0

iss: 1416768829 snduna: 1416769266 sndnxt: 1416769266 sndwnd: 16384irs: 926894319 rcvnxt: 926895002 rcvwnd: 16232 delrcvwnd: 152

SRTT: 273 ms, RTTO: 499 ms, RTV: 226 ms, KRTT: 0 msminRTT: 12 ms, maxRTT: 300 ms, ACK hold: 200 msFlags: passive open, nagle, gen tcbs

Datagrams (max data segment is 516 bytes):Rcvd: 37 (out of order: 0), with data: 20, total data bytes: 682Sent: 24 (retransmit: 0, fastretransmit: 0), with data: 24, total data bytes: 1404

BGP neighbor is FEFE::D, remote AS 65000, internal linkMember of peer-group ROUTE-REFLECTORS for session parametersBGP version 4, remote router ID 172.16.255.2BGP state = Established, up for 00:13:14Last read 00:00:14, hold time is 180, keepalive interval is 60 secondsNeighbor capabilities:Route refresh: advertised and received(old & new)Address family IPv6 Unicast: advertised and received

Received 34 messages, 0 notifications, 0 in queueSent 31 messages, 0 notifications, 0 in queueDefault minimum time between advertisement runs is 5 seconds

For address family: IPv6 UnicastBGP table version 21, neighbor version 21Index 1, Offset 0, Mask 0x2ROUTE-REFLECTORS peer-group memberNEXT_HOP is always this routerCommunity attribute sent to this neighborRoute refresh request: received 0, sent 0Outbound path policy configuredRoute map for outgoing advertisements is SET_NEXT_HOP_TO_GLOBAL_IP64 accepted prefixes consume 272 bytesPrefix advertised 4, suppressed 0, withdrawn 0

Connections established 2; dropped 1Last reset 00:13:18, due to Peer closed the session

Connection state is ESTAB, I/O status: 1, unread input bytes: 0Local host: FEFE::E1, Local port: 179Foreign host: FEFE::D, Foreign port: 49154



149

Enqueued packets for retransmit: 0, input: 0 mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x37FFC8):Timer Starts Wakeups NextRetrans 18 0 0x0TimeWait 0 0 0x0AckHold 20 7 0x0SendWnd 0 0 0x0KeepAlive 0 0 0x0GiveUp 0 0 0x0PmtuAger 0 0 0x0DeadWait 0 0 0x0

iss: 3977539705 snduna: 3977540142 sndnxt: 3977540142 sndwnd: 16384irs: 1456148508 rcvnxt: 1456149191 rcvwnd: 16232 delrcvwnd: 152

SRTT: 273 ms, RTTO: 499 ms, RTV: 226 ms, KRTT: 0 msminRTT: 8 ms, maxRTT: 300 ms, ACK hold: 200 msFlags: passive open, nagle, gen tcbs

Datagrams (max data segment is 516 bytes):Rcvd: 34 (out of order: 0), with data: 20, total data bytes: 682Sent: 26 (retransmit: 0, fastretransmit: 0), with data: 26, total data bytes: 1484Edge1#show bgp ipv6BGP table version is 21, local router ID is 172.16.0.11Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failureOrigin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path*>iFEFE::A/128 FEFE::A 0 100 0 ?* i FEFE::A 0 100 0 ?*>iFEFE::D/128 FEFE::D 0 100 0 ?* i FEFE::D 0 100 0 ?*> FEFE::E1/128 :: 32768 ?*>iFEFE:A::/64 FEFE::A 0 100 0 ?* i FEFE::A 0 100 0 ?*>iFEFE:D::/64 FEFE::D 0 100 0 ?* i FEFE::D 0 100 0 ?*> FEFE:E1::/64 :: 32768 ?Edge1#show bgp ipv6 summaryBGP router identifier 172.16.0.11, local AS number 65000BGP table version is 21, main routing table version 216 network entries and 10 paths using 1454 bytes of memory2 BGP path attribute entries using 120 bytes of memory2 BGP rrinfo entries using 48 bytes of memory0 BGP route-map cache entries using 0 bytes of memory0 BGP filter-list cache entries using 0 bytes of memoryBGP activity 8/50 prefixes, 20/10 paths, scan interval 60 secs



150

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcdFEFE::A 4 65000 65 58 21 0 0 00:13:32 4FEFE::D 4 65000 34 31 21 0 0 00:13:15 4Edge1#[email protected]#

Configure RIPv6

RIPv6 is used to propagate IPv6 router to the local area networks. Since we do not want to learn routesvia RIP we block all incoming route advertisements.

Edge1

Edge1(config)#ipv6 router rip EDGE-LANEdge1(config-rtr)#distance 254Edge1(config-rtr)#redistribute bgp 65000 metric 10Edge1(config-rtr)#distribute-list prefix-list DENY_ALL inEdge1(config-rtr)#exitEdge1(config)#Edge1(config)#ipv6 prefix-list DENY_ALL deny ::/0Edge1(config)#Edge1(config)#interface ethernet 0Edge1(config-if)#ipv6 router rip EDGE-LANEdge1(config-rtr)#exit

Don’t forget wr mem. Let us see if the configuration is working.

Edge1

Edge1#show ipv6 ripRIP process "EDGE-LAN", port 521, multicast-group FF02::9, pid 76

Administrative distance is 120. Routing table is 0Updates every 30 seconds, expire after 180Holddown lasts 180 seconds, garbage collect after 120Split horizon is on; poison reverse is offDefault routes are not generatedPeriodic updates 8, trigger updates 0

Edge1#Edge1#term moniEdge1#debug ipv6 ripRIP Routing Protocol debugging is onEdge1#Oct 9 22:03:13.100: RIPng: Sending multicast update on Ethernet0 for EDGE-LANOct 9 22:03:13.104: src=FE80::200:CFF:FE4A:A1D1Oct 9 22:03:13.104: dst=FF02::9 (Ethernet0)Oct 9 22:03:13.108: sport=521, dport=521, length=72Oct 9 22:03:13.112: command=2, version=1, mbz=0, #rte=3Oct 9 22:03:13.112: tag=0, metric=10, prefix=FEFE:A::/64Oct 9 22:03:13.116: tag=0, metric=10, prefix=FEFE:D::/64Oct 9 22:03:13.116: tag=0, metric=1, prefix=FEFE:E1::/64Oct 9 22:03:39.688: RIPng: Sending multicast update on Ethernet0 for EDGE-LAN



151

Oct 9 22:03:39.692: src=FE80::200:CFF:FE4A:A1D1Oct 9 22:03:39.692: dst=FF02::9 (Ethernet0)Oct 9 22:03:39.696: sport=521, dport=521, length=72Oct 9 22:03:39.700: command=2, version=1, mbz=0, #rte=3Oct 9 22:03:39.700: tag=0, metric=10, prefix=FEFE:A::/64Oct 9 22:03:39.704: tag=0, metric=10, prefix=FEFE:D::/64Oct 9 22:03:39.704: tag=0, metric=1, prefix=FEFE:E1::/64Oct 9 22:04:06.496: RIPng: Sending multicast update on Ethernet0 for EDGE-LANOct 9 22:04:06.500: src=FE80::200:CFF:FE4A:A1D1Oct 9 22:04:06.504: dst=FF02::9 (Ethernet0)Oct 9 22:04:06.504: sport=521, dport=521, length=72Oct 9 22:04:06.508: command=2, version=1, mbz=0, #rte=3Oct 9 22:04:06.508: tag=0, metric=10, prefix=FEFE:A::/64Oct 9 22:04:06.512: tag=0, metric=10, prefix=FEFE:D::/64Oct 9 22:04:06.516: tag=0, metric=1, prefix=FEFE:E1::/64Edge1#Edge1#un allAll possible debugging has been turned offEdge1#Edge1#debug ipv6 icmpICMP packet debugging is onEdge1#Oct 9 22:07:08.405: ICMPv6-ND: Sending RA to FF02::1 on Ethernet0Oct 9 22:07:08.409: ICMPv6-ND: prefix = FEFE:E1::/64 onlink autoconfigEdge1#

Looks like we have a working configuration. Router Edge2 can be configured accordingly.



152

C.1.3 Configure NetBSD/Zebra Edge Router

Well, by now you should already have a good understanding of how to configure a NetBSD edge routerfor IPv6.

Basically the following steps are required on an edge router:

• Edit /etc/rc.conf and /etc/rc.local. Check the section regarding configuration of routereflectors.

• Configure interfaces for IPv6 (including gif, loopback, and Ethernet).

• Configure static IPv6 routes for the loopback interfaces of the peering routers.

• Configure BGP analogous to an Cisco edge router.

• Configure RIPv6 to redistribute IPv6 route on edge networks.

On the hub routers (Anchor and Dinghy) the following steps are required:

• Configure the interfaces towards the edge router.11

• Configure static IPv6 routes for the loopback interface of the edge router.

• Configure BGP like for an Cisco edge router.

In the case of router Core4 this is a gif interface on Anchor. Dinghy is attached via a local area network11


Activity Log Configuring DJBDNS

153

C.2 Configuring DJBDNS

Anchor and Dinghy provide name service for the lab network. In order to provide the service bothmachines have djbdns (http://cr.yp.to/djbdns.html) and daemontools (http://cr.yp.to/daemontools.html)installed.

[email protected]> pkg_info djbdnsInformation for djbdns-1.05:

Comment:Collection of secure and reliable DNS tools by Dan Bernstein

Description:DJBDNS is a collection of Domain Name System tools. It includesseveral components:

* The dnscache program is a local DNS cache. It accepts recursive DNSqueries from local clients such as web browsers. It collectsresponses from remote DNS servers.

* The tinydns program is a fast, UDP-only DNS server. It makes localDNS information available to the Internet.

* The pickdns program is a load-balancing DNS server. It pointsclients to a dynamic selection of IP addresses.

* The walldns program is a reverse DNS wall. It provides matchingreverse and forward records while hiding local host information.

* The dns library handles outgoing and incoming DNS packets. It can beused by clients such as web browsers to look up host addresses, hostnames, MX records, etc. It supports asynchronous resolution.

* The dnsfilter program is a parallel IP-address-to-host-nameconverter.

* The dnsip, dnsip6, dnsipq, dnsname, dnstxt, and dnsmx programs are simplecommand-line interfaces to DNS.

* The dnsq and dnstrace programs are DNS debugging tools.

You may also want to use:* pkgsrc/net/ucspi-tcp, if you’re going to use axfrdns or axfr-get* tinydns logfile formatter, installed under ${PREFIX}/bin/tinydns-log* dnscache logfile formatter, installed under ${PREFIX}/bin/dnscache-log(formatters are taken from http://tinydns.org, they need perl to run]

* tai64nlocal (pkgsrc/sysutils/daemontools) -- to convert timestamps printedout by these two formatters to human readable form

This package includes IPv6 patches written by Fefe,see http://www.fefe.de/dns/ for more details.

Please read http://cr.yp.to/djbdns/upgrade.html if you’re upgrading fromprevious version of djbdns.



154

Homepage:http://cr.yp.to/djbdns.html

[email protected]>

[email protected]> pkg_info daemontoolsInformation for daemontools-0.70:

Comment:Service monitoring and logging utilities by djb

Description:Daemontools is a small set of /very/ useful utilities, from DanBernstein. They are mainly used for controlling processes, andmaintaining logfiles.

Homepage:http://cr.yp.to/daemontools.html

[email protected]>

The following section, which follows Martin Lessers dnscache-HOWTO (http://www.better-com.de/dnscache/howto-de/), gives an overview of the configuration. Some stuff has been stolen from the ‘Inofficial djbdnsFAQ’ (http://www.fefe.de/djbdns/), which is also a very useful resource.

Two machines are used to provide naming service for the lab. Unlike bind djbdns does not use aconcept of primary and secondary name servers. Both name servers are equal. There are no zonetransfers required with djbdns. Synchronization of the two databases can be done using utilities suchas rsync.

The name service on a single machine is implemented by two programs, dnscache and tinydns. Itis not possible to use the same IP address for both programs. dnscache is configured with the IPaddress of the Ethernet interface. tinydns is configured with the IP address of the loopback interface(127.0.0.1). Then dnscache is configured to ask the local instance of tinydns.

Firstly we create the required user accounts. Please note that the accounts do not require a homedirectory. Login shell is set to /sbin/nologin for security reasons.

[email protected]# useradd -g nogroup tinydnsuseradd: Warning: home directory ‘/home/tinydns’ doesn’t exist, and -m was not [email protected]# useradd -g nogroup dnscacheuseradd: Warning: home directory ‘/home/dnscache’ doesn’t exist, and -m was not [email protected]# useradd -g nogroup dnsloguseradd: Warning: home directory ‘/home/dnslog’ doesn’t exist, and -m was not [email protected]# which nologin/sbin/[email protected]# chsh tinydns

#Changing user database information for tinydns.<snip>Shell: /sbin/nologin<snip>[email protected]# chsh dnscache



155

#Changing user database information for dnscache.<snip>Shell: /sbin/nologin<snip>[email protected]# chsh dnslog

#Changing user database information for dnslog.Login: dnslog<snip>Shell: /sbin/nologin<snip>[email protected]#

Now we are going to configure tinydns. Firstly we create the name server, DNS zone, and reverselookup zones for the lab network.

[email protected]# tinydns-conf tinydns dnslog /etc/tinydns [email protected]#[email protected]# cd /etc/tinydns/[email protected]# lsMakefile add-alias6 add-host add-mx dataadd-alias add-childns add-host6 [email protected]#[email protected]# ./add-ns brest.lab [email protected]# ./add-ns 16.172.in-addr.arpa [email protected]# ./add-ns 168.192.in-addr.arpa [email protected]# ./add-ns 10.in-addr.arpa 127.0.0.1

Now we populate the zone with name to address mappings. Reverse lookup zones will be populatedautomagically.

[email protected]# ./add-host dinghy.brest.lab [email protected]# ./add-host anchor.brest.lab [email protected]# ./add-host core1.brest.lab [email protected]# ./add-host core2.brest.lab [email protected]# ./add-host core3.brest.lab [email protected]# ./add-host edge1.brest.lab [email protected]# ./add-host edge2.brest.lab [email protected]# ./add-host edge3.brest.lab 172.16.0.13

Some aliases for lab boxes.

[email protected]# ./add-alias www.brest.lab [email protected]# ./add-alias mrtg.brest.lab [email protected]# ./add-alias ns1.brest.lab [email protected]# ./add-alias ns2.brest.lab 172.16.255.2

Since NetBSDs djbdns package includes IPv6 patches written by Felix von Leitner (http://www.fefe.de/dns/)we do have IPv6 naming service out of the box.

[email protected]# ./add-host6 dinghy.ipv6.brest.lab fefe::[email protected]# ./add-host anchor.ipv6.brest.lab fefe::a



156

In the second step we configure the dnscache program. Firstly we create the cache. Please note thatwe bind the dnscache program to the IP address of the Ethernet interface. Above we configured thetinydns program to use the loopback address.

[email protected]# dnscache-conf dnscache dnslog /etc/dnscache 172.16.255.2

By default dnscache will only answer to requests initiated from the hosting machine. Now we configureit to accept requests from all machines in the lab network. The file /etc/dnscache/root/ip/10instructs dnscache to accept requests from IPv4 addresses in the range 10.0.0.0/16.

[email protected]# touch /etc/dnscache/root/ip/[email protected]# touch /etc/dnscache/root/ip/[email protected]# touch /etc/dnscache/root/ip/10

Now we instruct dnscache to consult the local tinydns server to resolve names in the lab zones.

[email protected]# cd /etc/dnscache/root/servers/[email protected]# ls@[email protected]# echo ’127.0.0.1’ >[email protected]# echo ’127.0.0.1’ > [email protected]# echo ’127.0.0.1’ > [email protected]# echo ’127.0.0.1’ > [email protected]#[email protected]# lltotal 5-rw-r--r-- 1 root wheel 10 Oct 4 18:08 10.in-addr.arpa-rw-r--r-- 1 root wheel 10 Oct 4 18:08 16.172.in-addr.arpa-rw-r--r-- 1 root wheel 10 Oct 4 18:08 168.192.in-addr.arpa-rw-r--r-- 1 root wheel 164 Oct 4 18:04 @-rw-r--r-- 1 root wheel 10 Oct 4 18:07 [email protected]#[email protected]# cat [email protected]#[email protected]# cat [email protected]# cat [email protected]# cat [email protected]#[email protected]# cat @198.41.0.4128.9.0.107192.33.4.12128.8.10.90192.203.230.10192.5.5.241192.112.36.4128.63.2.53



157

192.36.148.17198.41.0.10193.0.14.129198.32.64.12202.12.27.33root@dinghy.brest.lab#

Lastly we create entries for dnscache and tinydns in the service directory. This puts the programsunder control of the daemontools.

[email protected]# ll /servicetotal 0lrwxr-xr-x 1 root wheel 21 Oct 1 14:09 gated -> /usr/local/etc/gated/lrwxr-xr-x 1 root wheel 18 Sep 30 16:25 zebra -> /usr/pkg/etc/[email protected]#[email protected]# ln -s /etc/tinydns /[email protected]# ln -s /etc/dnscache /[email protected]#[email protected]# ll /servicetotal 0lrwxr-xr-x 1 root wheel 13 Oct 4 18:13 dnscache -> /etc/dnscachelrwxr-xr-x 1 root wheel 21 Oct 1 14:09 gated -> /usr/local/etc/gated/lrwxr-xr-x 1 root wheel 12 Oct 4 18:12 tinydns -> /etc/tinydnslrwxr-xr-x 1 root wheel 18 Sep 30 16:25 zebra -> /usr/pkg/etc/[email protected]#[email protected]# ps -aux | grep tinydnstinydns 28740 0.0 0.8 164 492 ?? S 6:12PM 0:00.22 /usr/pkg/bin/tinydnsroot 28732 0.0 0.7 36 464 ?? S 6:12PM 0:00.09 supervise tinydnsroot 29719 0.0 0.9 204 588 p1 S+ 6:13PM 0:00.06 grep [email protected]#[email protected]# ps -aux | grep dnscachednscache 28957 0.0 2.7 1388 1796 ?? S 6:13PM 0:00.35 /usr/pkg/bin/dnscacheroot 28952 0.0 0.7 36 464 ?? S 6:13PM 0:00.09 supervise dnscacheroot 29896 0.0 2.6 1424 1708 p1 RV 6:13PM 0:00.00 grep dnscache (tcsh)[email protected]#

Check if the name service is running properly.

[email protected]# dnsipq core1core1.brest.lab [email protected]#[email protected]# dnsip [email protected]#[email protected]# dnsname [email protected]#

That was easy, wasn’t it?

The configuration on node Anchor is analogous to the example above.


158

D Xyplex MaxServer 1600

iTouch Communications (http://www.itouchcom.com/) has taken over the old Xyplex terminal serverproduct line. Transfering the documentation section from the Nbase/Xyplex web site to the iTouchweb site was lossy. I included documentation from the iTouch web site so that this document is nowself contained.

D.1 Access Server Administrator’s Primer

The NBase-Xyplex Access Server is a multi-protocol terminal server which supports direct Asyncronousconnections for most Serial peripherals. These devices can be either terminals, printers, async modemsfor remote access, console ports for UNIX workstations, management port on switches, hand-heldscanners, and a variety of other data-collecting serial devices. The access server can concurrentlysupport users who are logged into IP and VMS systems, dial-in and dial-out with interactive, SLIPor PPP sessions, network printing, and provide network access to serial Management Ports on othernetwork devices.

The purpose of this document is to provide an overview on the initial key issues you should be aware ofwhen first working with the unit. These key issues include: the server’s loading process, user interfaceconcepts, server and port configurations, and safe methods for rebooting the server after it has beenconfigured.

D.1.1 Bootstrap

The access server REQUIRES that it be connected to a 10 mbps Ethernet LAN before it will startthe normal loading sequence. The unit does not support 100 mbps fast ethernet. During the loadingprocess, if a LAN connection is not seen by the unit, then it will not load and the following messagewill be displayed on an attached terminal:

Searching for a Functional Standard Ethernet Network.

To resolve this problem, verify the cabling between the LAN and the ethernet port on the access server.For 10baseT connections, a straight-thru ethernet cable is required between the access server and a DCEdevice (such as an ethernet hub or switch), and a cross-over ethernet cable is required for connectionsto a DTE device (such as a bridge/router). Once the LAN is detected, the unit will complete a hardwareself test and begin to load. To complete the loading process and become fully functional, the serverrequires two files: the software image or runtime code AND the parameter file. The access server willfirst load the runtime image, then load and implement the parameter database. The server’s bootROMs are designed to load both files using several loading protocols.

Software Image

The Access Server defaults to load the runtime image using protocols in the following order:

CARD For loading from a local FLASH memory card that is inserted in the unit.


Xyplex MaxServer 1600 Access Server Administrator’s Primer

159

XMOP Xyplex’s proprietary load protocol where one Xyplex device will act as a load server for anotherXyplex device.

MOP The unit will send DEC MOP load broadcasts across the LAN searching for a VAX load server.

BOOTP The unit will send a bootp broadcast, searching for a bootp server to gain an ip-address touse so it can tftp download the image runtime code from a tftp host. If an router is between theXyplex device and the bootp server, you will need to ensure the router will forward bootp packetson to the bootp server. Bootp is not routable. CISCO calls this a helper IP.

RARP The unit will send a rarp broadcast looking for a response from a rarp server to provide anip-address to use so it can tftp download the image runtime code from a tftp host.

Once the access server has downloaded the image file, it will then decompress and implement theruntime code it received.

D.1.2 Parameter File

Once the server has processed the runtime image, it will then download and implement the parameterdatabase. The parameter file contains all of the server and port settings. Should this file be incompleteor corrupted, the access server will either complete the bootstrap process using the default parameterset, or it will not completely boot/reboot, instead displaying a flashing LED error code on the frontpanel. To correct this situation, please reference the ”Getting Started” manual and follow the processto gain access to the ROM Configuration Menu in order to default the server and port settings. Thereis also a Technical Paper available on the NBase-Xyplex web page that outlines this process in detail:

http://www.nbase-xyplex.com/support/documentation/tp/default2.cfm

The process will require a directly attached terminal to any single async port on the server. The server’sdefault parameter load protocols are in the order below (this order may vary depending on the accessserver hardware type you are working with):

NVS Non-Volatile Storage located within the unit on the motherboard. This is the default for allNBase-Xyplex access servers except the N9-720 which has no NVS on board.

CARD The only NBase-Xyplex access server that can retrieve its parameter file from an on-boardflash memory card would be the N9-720 server. No other server can support this function directly.

XMOP Using the Xyplex proprietary protocol, the server will broadcast a load request to get a copyof its parameter file from another Xyplex device which has stored its parameter file. The respondingXyplex device must have a local flash memory card (where it stores the parameter files for otherunits) and have ”Manager Load” and ”Parameter Service” as enabled functions.

MOP The unit will send DEC MOP load broadcasts across the LAN searching for a VAX load serverthat is running the Xyplex software process ”xyp manager” and has an NCP entry for that accessserver as well as a copy of its parameter file. NOTE: ”xyp manager” is not supported on OpenVMSversion 6.2 or higher.

BOOTP Same process as for the image loading, but the unit will look for a file named ”x012345.prm”from the tftp server (where 012345 represents the last 6 digits of the unit’s ethernet address).

RARP Same process as for the image loading, but the unit will look for a file named ”x012345.prm”from the tftp server (where 012345 represents the last 6 digits of the unit’s ethernet address).



160

D.1.3 Login

Once the server is fully booted, the RUN and LAN lights will flash about once per second. At thistime, press the or key on the terminal keyboard several times. This will allow the access server’s port toautobaud to the speed your terminal is set to. Terminal parameters should be set to VT100 emulation,character size 8, parity none, stop bits 1, and XON/XOFF (software) flow control. As you press thereturn key, the LED in the front panel that corresponds to the port your terminal is connected to,should flash. If it doesn’t, there could be a communications issue between the port and your terminal.You should verify your terminal settings and cabling between the two. Reference the ”Getting Started”manual for DTE pinouts and cabling requirements. There is also a Technical Paper available on theNBase-Xyplex web page that provides this information as well:

http://www.nbase-xyplex.com/support/documentation/tp/as\_cabling.cfm

Once the port and the terminal are communicating properly, you will see the server’s default welcomemessage and be prompted to log into the server:

Welcome to the Xyplex Terminal Server.

Enter username>

At this point, the server is just looking for any name or character sting to be entered. It is not lookingfor something specific - whatever you enter is not important. The ”string” you provide will appearon certain ”show port” screens as a visual reference to indicate who is logged in there, for user andadministrator convenience only.

Enter username> enter_some_string

After entering any alpha or numeric string, you are presented with the default port prompt:

Xyplex>

At this point you are logged into and talking to an active and functional access server port. The nextstep is to configure the unit to meet your needs and goals.

D.1.4 Configuration

The parameter database is where the access server’s unique profile and port settings are stored, andfrom where they are reloaded each time the server is rebooted. The parameter file is where all thechanges you make to the server and each port are saved. This file needs to be protected so that it doesnot get corrupted during a reboot.

In order to make changes to the parameter file (i.e. configure the unit), you must be in privileged (priv)mode. The sequence is as follows (please note the user command and the default privilege password):

Xyplex> set privPassword: systemXyplex>>

The port prompt has changed to include a double greater-than symbol. You may shorten this sequenceby the single command string set priv system, but this is software version dependent.



161

The server has two memory levels, if you will, thus there are two types of commands used duringconfiguration.

Level 1 is Active Memory (or operational database) which is the current configuration the server andports are working with while the unit is in operation. Should you issue a SET command to change aparameter to a different value, that configuration change would be lost when the port is logged out(for port settings) or if the server was rebooted. The SET command allows for a temporary changeto the active working parameter set. If the SET command was used to change a port setting, thatsetting will revert back to the original setting when the port resets for any reason (including a simplelogout by the user on that port; or if someone in privileged mode logs that port out; or if the serveris rebooted).

Level 2 memory is Permanent Memory (or stored configuration) which is recalled upon a reboot orport logout. Should you want to make a change to the server and port settings that needed to berecalled after a reboot of the server or after a port is logged out, a DEFINE command would berequired.

The SET commands can be used by both privileged and non-privileged users. The DEFINE commandsare limited to the privileged user only. The following examples will illustrate the affect of the SETcommand versus DEFINE command after a user logs out:

Change the port prompt in the Active Memory configuration:

Xyplex> set port prompt "Port_3"

The yield of the above command:

Port_3> logout

After the user logs out, the port will reset and go back to the values as defined in the Permanentmemory database. Note the port prompt once the user logs back into the port:

Xyplex>

Change the port prompt in the Level 2 Permanent Memory configuration:

Xyplex>> define port prompt "Port_3"

The yield of the above command:

Xyplex>> logout

After the user logs out of the port, it will reset and read the settings stored in the permanentdatabase, implementing the new setting. Notice the port prompt once the user logs back into theport:

Port_3>

When configuring the access server, there is an parameter feature called ”CHANGE” that, when enabled,will automatically execute the SET command whenever you issue a DEFINE command, thus eliminatingthe need for typing in the second command line.

To enable the CHANGE feature, execute:



162

Xyplex>> set server change enableXyplex>> define server change enable

Here is how it is helpful: When you define an internet address to the server using Xyplexdefine serverinternet address 10.10.10.3, the ip-address is written to permanent memory, which would thenrequire either the SET command to also be issued or a reboot of the entire server in order for the valueto become active. If you only issued a SET command with Xyplexset server internet address10.10.10.3, the ip-address would become active immediately, but lost when the server was rebootedunless the DEFINE was also performed. This example illustrates that changing both the temporaryand permanent configuration would require two commands without a reboot. With CHANGE enabled,when you issued the define server internet address command, the server would:

• Update the permanent configuration database,

• Automatically execute the SET command so the ip-address would become active right away withoutrequiring a reboot.

Please Note: NOT all server or port parameters can be changed with the SET command. When theCHANGE feature is enabled, at some point you will define some parameter and be prompted with awarning or informational message:

Xyplex -729- Parameter cannot be modified by a SET command.

Some of the commands cannot be ”set” because the change could affect any users that may be loggedinto that particular server/port(s). The message is also displayed when enabling certain server-widefeatures and protocols (such as LPD, Radius, IPX, etc), because memory resources will need to beallocated for the feature’s use. These features will also display the message Xyplex -705- Changeleaves approximately \# bytes free.

If you see this message after making a parameter change to a port, you will need to reset the portfor the change to become active/operational immediately. To do this, you simply need to issue thecommand logout port \# (which, in addition to ”set”-ting the parameter, will also disconnect anyuser who may be connected to it):

Xyplex>> logout port #(where "#" is the physical port number you made the change to)

If you see this message after issuing a command to change a server-wide parameter, or enable a feature,then you will need to reboot the server at some point for the new parameter to be implemented. Followthe instructions on safe reboot methods in the next section of this paper.

D.1.5 Rebooting

Important: To reboot the server, it is strongly recommended you use the configuration/parameterfriendly reboot command initialize:

Xyplex>> initialize

This is a command where the server will, by default, wait for one minute before it automatically rebootsusing the process boot/load sequences discussed earlier. You can also modify the time to reboot byproviding a time argument:



163

Xyplex>> initialize delay #(where "#" is the variable in minutes before the unit will reboot)

If the time argument is ”0” the unit will reboot immediately. If the time argument is greater than ”0”,the server will reboot in that number of minutes specified.

The beauty of the initialize command is that it is parameter-database friendly. Provided theparameter/configuration file is current and up-to-date and in an idle state (see the show parameterserver screen), the server will terminate all processes and proceed through a normal bootstrap process.If the server is still writing the parameter changes to permanent memory, it will not prematurelyterminate the write process so as to prevent corruption of the parameter database. The server willinstead give you a warning message:

Xyplex -198- WARNING - changed configuration has not been saved.

After you issue the last define command, the server waits a period of time to make sure there are nomore defines to follow, then it writes the ”lump sum” of your commands all at once to the parameterstorage locations (i.e. flashcard, NVS, host). All of this takes approximately 30-40 seconds from themoment you issued the last define command. If the unit is forced to reboot while writing parameters,then the file will get corrupted. The initialize command will not force a reboot, and therefor, if ithas not yet saved the changes, it will display the above message. Should this happen, give the Xyplexdevice another minute or so in order to complete the process of writing the parameter database tomemory, then try issuing the initialize command again.

D.1.6 Normally NOT Suggested

There are three methods of rebooting the access server that are not sensitive to the storing status of theparameters. It is not suggested you execute either of them unless you verify the parameters are savedand current beforehand. The server command to check on the status of the parameter file storage stateis:

Xyplex>> show parameter server

Check for the status, version, and storage state of the parameter servers. The storage state needs tobe ”Idle”, the status should be ”current”, and the versions at each location should be the same as thevalue listed next to ”Last Update Version” in the first column. Again, the parameter database healthis your responsibility should you do any of the next three processes.

• There is a server command CRASH. This command will reboot the server, but the process is as gentleas the word itself reflects. When you use this command, the server will immediately attempt todump its core memory to a dump server. CRASH is not sensitive to the state of the parameter set.If the server is writing parameters to permanent memory, this command will terminate the writeprocess immediately and there is a 100

• Another reboot process that is NOT sensitive to the parameter set is a power cycle of the unit. Inother words, pulling the power cord. All processes are terminated immediately including all the rulesrelated to checking for a complete and valid parameter set. Defaulting the unit will be in order ifthe parameter database gets corrupted.

• The third reboot process, again not suggested, is using the reset switch. Pressing the reset switchwith a paperclip two quick times will force the server to reboot. This process is also NOT parameter



164

database sensitive. Should the server be writing parameters to memory, the write and verify processis terminated regardless of whether or not the process had been completed. If the unit displays aflash error code on a reboot, you will have to default the server parameters and start anew as well.

On a positive note: It is possible that, if the parameter file is current and in an idle state, and youhappen to reboot using these last three mechanisms, you could be in luck and not have a problem.These reboot methods do work, but there is a high level of risk when used. It is best to always rebootusing the initialize command whenever it is possible to access the server’s command line interface(CLI).

D.1.7 Additional Information

The NBase-Xyplex Access Servers are a reliable network device. They support several network protocolsfor loading its runtime code and server profile configuration/parameter files. Once the server is up andrunning, they can be configured to operate with permanent and temporary settings using the Define andSet commands at the server’s command line interface, i.e. port prompt. The Access Server providesa help utility to solve command line syntax errors. It will always highlight or note the command orargument that are not known and will provide you with a list of valid commands or verbs it was expectingto see. The Access Server also provides informational and warning messages when certain conditionsare met to assist you when working with and configuring the server. You are able to reboot the serverfrom local or remote locations using the Initialize command knowing it will validate the status of theparameter file first.

A key element when working with devices attached to physical ports on the server is the wiring betweenthe ports and third party devices. The manual NBase-Xyplex provides with each unit, will list theexpected DTE and DCE pinouts and cable to use. The server supports various show port screens todisplay the port status and port counters, not discussed above, that can be used in troubleshootingcommunications issues. The Access Server also allows you to view port characteristics, alternatecharacteristics, and telnet characteristics to look at various port settings. These and many morecommands are described and discussed in the documentation Commands Reference Guide. This andother manuals are on the NBase-Xyplex Web page as well as on CD-ROM.

The intent of this document was to give a brief overview of a few key issues the System Administratorshould know when working with the Access Server. The Access Server is a flexible device that can beconfigured to meet many and various needs.

D.1.8 Additional Documentation and Resources

NBase-Xyplex has available on our web site numerous detailed command line help files to assist youin configuring the access server and its ports. Help files are also available that outline the processto use certain Host applications and features which interact with the access server’s functionality (ex.CSPORTD printing, etc); as well as some unique configurations other customers have implemented.

The web URL below brings you to the main page of the Customer Support area. For configuration andtroubleshooting assistance, there are links here to our Technical Papers, Technical Tips, FAQ Finder,Manuals and User Guides, Software Downloads, and more.

http://www.nbase-xyplex.com/support/index.cfm



165

Customers who have purchased one of NBase-Xyplex’s various Service Support contract offerings willhave access to a password-protected area where they can download the latest software updates fromthe web URL below:

http://www.nbase-xyplex.com/support/software/index.cfm

For Technical Papers specific to the Access Server, point your browser to:

http://www.nbase-xyplex.com/support/documentation/tp/access\_menu.cfm

For Manuals and User Guides specific to the Access Server, point your browser to:

http://www.nbase-xyplex.com/support/documentation/product/guides/index.cfm?doc=accessserver

For Software Updates specific to the Access Server, point your browser to:

http://www.nbase-xyplex.com/support/contract/software/index.cfm?query=access

Copyright 2001 iTouch Communications, Inc.


Xyplex MaxServer 1600 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults

166

D.2 Setting An MX-1600, MX-1608 or MX-1450 To Factory Defaults

• Straighten a paper clip and press into the pin-size hole next to console LED on the front panel ofthe unit. All LEDs on the front of the unit will light up.

• Press the paper clip in again and hold it in for 3-5 seconds. The LEDs will light up in a sweepingfashion from right to left, then left to right. When this sweeping stops, there will be 2 or 3 LEDSto the right lit, at this point release the paper clip.

• The LEDs will light up in a countdown pattern to 1 (diagnostic test pattern). Then they will all goout and the RUN light will be flashing very fast. You should have a terminal attached to one of theserial ports on the back of the unit. Press the ENTER key several times for the port to autobaud.You will see a text display similar to this:

Terminal Server, Type 97, Rev G.00.00Ethernet address 08-00-87-05-A1-16, port 2Configuration in progress. Please wait

• Type the password access (there is no password prompt and it will not display the characters youtype) and then press ENTER on your keyboard. The menu below will display. Please select themenu options and answer the questions as detailed below to default your unit.

• To Default The Server Load/Dump Parameters:

Welcome to the Configuration Menu.

Terminal Server Configuration/Maintenance Menu

1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changesX. Exit without saving configuration changesEnter menu selection [X]: 2

Initialize configuration to defaults (Y,N) [N]? Y

(Type any key to continue)

Press ENTER on your keyboard at this time...

• To Default The Server And Port Parameters:


1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changes



167

X. Exit without saving configuration changesEnter menu selection [X]: 3

When the software has been loaded, should default server and port parameters be used (Y,N) [N]? Y

• Save Configuration Changes And Reboot The Server:


1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changesX. Exit without saving configuration changesEnter menu selection [X]: S

Save changes and exit (Y,N) [Y]? Y

The access server will now reboot using factory settings.




168

D.2.1 Configuring MX1600 To Load Image Via DTFTP

• Push a straightened paper clip into the pin-size hole on the far left side of front panel (N9-720) orthe pin-size hole next to the CONSOLE LED for the MX16xx series (insertion time is 1 second).All the LEDs will light up.

• Push paper clip in again and hold in for about 3-4 seconds. The LEDs will light up in a sweepingfashion from right to left, then left to right. When this pattern stops and LEDs 14,15,16 are lit,remove the paper clip.

• The LEDs will light up in a countdown pattern to 1, which is the diagnostic test. After they all goout, the RUN light will blink very fast. You should have a terminal or PC attached to one of theRJ-45 ports on the back of the server. Press the ENTER key on your keyboard several times toautobaud your terminal to the port speed. You will see text displayed similar to this:

Terminal Server, Type 97, Rev G.00.00Ethernet address 08-00-87-0A-B9-BBConfiguration in progress. Please wait.

Please type the login password access at this time (there is no password prompt and it will notdisplay the characters you type).

Welcome to the Initialization Configuration Menu.

Terminal Server Configuration Menu

1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationX. Exit saving configuration changesS. Exit without saving configuration changes

Enter menu selection [X]: 1

Stored Configuration New Configuration

Status: Enabled Enabled

Image load method: CARD XMOP MOP BOOTP RARP CARD XMOP MOP BOOTP RARPParameter load method: NVS XMOP MOP BOOTP RARP NVS XMOP MOP BOOTP RARPDump method: XMOP MOP BOOTP RARP XMOP MOP BOOTP RARPCARD/XMOP/MOP filename: XPCS00S XPCS00SDefault unit IP addr: 0.0.0.0 0.0.0.0DTFTP host IP addr: N/A N/ADTFTP gateway IP addr: N/A N/ADTFTP filename: N/A N/ALoad status messages: Enabled EnabledNetwork interface: Automatic AutomaticMemory size expected 4 Megabytes 4 Megabytes(Found 4 Megabytes)



169



1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configurationS. Exit saving configuration changesX. Exit without saving configuration changes

Enter menu selection [X]: 2

Set Initialization record #1 to defaults (Y,N) [N]? N

Enable initialization record #1 (Y,N) [Y]? Y

Enable ALL methods for image loading (Y,N) [N]? N

Toggle (CARD,DTFTP,XMOP,MOP,BOOTP,RARP) load methods [C,X,M,B,R]: D

Toggle (CARD,DTFTP,XMOP,MOP,BOOTP,RARP) load methods [C,D,X,M,B,R]: (hit ENTER)

Enable ALL methods for parameter loading (Y,N) [Y]? (hit ENTER to accept defaults)

Enable ALL methods for dumping (Y,N) [Y]? (hit ENTER to accept defaults)

CARD/XMOP/MOP image filename (16 characters max) [XPCSRV20]: (hit ENTER)

Enter unit IP address [0.0.0.0]: enter IP address of access server

Enter host IP address [0.0.0.0]: enter IP address of the load host

Enter gateway IP address [0.0.0.0]: enter IP address of router

Enter TFTP image filename (64 characters max.) : xpcs00s.sys

Note: Some UNIX hosts do not use /tftpboot as the tftp home directory. If your host uses a differentpath, please enter as part of the image filename. Example: Enter TFTP image filename (64characters max.) : /usr/tftp/xpcs00s.sys



1. Display unit configuration2. Modify unit configuration3. Initialize server and port parameters4. Revert to stored configuration



170

S. Exit saving configuration changesX. Exit without saving configuration changes

Enter menu selection [X]: S

Save changes and exit (Y,N) [Y]? Y

Changes saved.\end{Verbatim}}

The access server will now reboot using the DTFTP information entered above.\stopitemize

To enable DTFTP on a running server using the Xyplex Command Language Interface:

\starttypingXyplex>> DEFINE SERVER IMAGE LOAD PROTOCOL DTFTP ENABLEDXyplex>> DEFINE SERVER INTERNET ADDRESS x.x.x.x (server address)Xyplex>> DEFINE SERVER INTERNET LOAD HOST x.x.x.x (host address)Xyplex>> DEFINE SERVER INTERNET LOAD GATEWAY x.x.x.x (1st hop router)Xyplex>> DEFINE SERVER INTERNET LOAD FILE "xpcs00s..sys"



Xyplex MaxServer 1600 Configuring SYSLOG On Access Servers

171

D.3 Configuring SYSLOG On Access Servers

Many Customers are having problems configuring SYSLOG on their Access Server and their UNIXHosts.

The procedure is two fold. The Access Server needs to have SYSLOGD enabled and pointed to aUNIX Host. And the UNIX host needs to be configured to be running SYSLOG and have a definitionfor where the syslog information from the Access server should be stored.

D.3.1 Configure the Access Server for SYSLOGD

Xyplex >> define server accounting entries 1000

This will enable the accounting feature, by defining the maximum number of accounting entries.

Xyplex >> define server daemon syslogd enabled 192.9.200.1

This will enable the syslogd on the Access server and also point it to the UNIX host with ip-address192.9.200.1.

Xyplex>> init delay 0

This will re-initialize the Access server for the changes to take effect.

Xyplex >> set server verbose accounting enabled

This will enable the VERBOSE accounting on the Access Server.

D.3.2 *Setting a Priority Number

There are several priority levels that define what type of information will be stored to the SYSLOGhost. The priorities are:

− LOG EMERG, 0, A severe condition.

− LOG ALERT, 1, A condition the system manager needs to correct immediately.

− LOG CRIT, 2, A critical condition such as a hard device error.

− LOG ERR, 3, A software error condition.

− LOG WARNING, 4, A warning message.

− LOG NOTICE, 5, Conditions that may require specific procedures to adjust them.

− LOG INFO, 6, Normal condition. Informational messages.

− LOG DEBUG, 7, Messages with information useful for test situations only.

The Priority chosen on the Access server will match with the one defined on the UNIX host. Tospecify the priority number on the Access Server:


Xyplex MaxServer 1600 Configuring SYSLOG On Access Servers

172

Xyplex >> set server verbose priority 7

This will set the priority to 7. NOTE: Level 7 will get all message from priorities lower than 7 also.

Xyplex >> clear server accounting

This will clear the accounting log, so that the first information will be the newest.

Xyplex >> show server accounting

This will display the accounting information stored locally on the Access Server.

720-console> show server account

ACCOUNTING SUMMARY/SYSTEM LOG (ENTRIES WILL LOG AT OR BELOW PRIORITY LEVEL: 7)

02 May 1996 14:48:27 Accounting Summary/System Log Cleared by Port 1502 May 1996 14:49:26 source:08-00-87-06-52-34 dest:140.179.240.14 port:0 user:(Remote) type:Rtelm02 May 1996 14:49:31 Port: 00 User: wilbur User Login.

D.3.3 Configure the Unix Host for SYSLOGD

Well, we don’t need that, do we?

Again, the stuff is Copyright by iTouch Communications, Inc.


173

Document History

Datum Version Status Remark

24-Nov-2002 0.99 Draft Migrated from old ‘Testbed and Tools’ format

dd-mmm-yyyy . . .

dd-mmm-yyyy . . .

dd-mmm-yyyy . . .

Table 1 Document History


Document History

174


Documents

Network static Lab workbook