%LDP-4-PWD: MD5 protection is required!

MPLS LDP messages (discovery, session, advertisement, and notification messages) are exchanged between LDP peers through two channels:

  • LDP discovery messages are transmitted as User Datagram Protocol (UDP) packets to the well-known LDP port.
  • Session, advertisement, and notification messages are exchanged through a TCP connection established between two LDP peers.

The MPLS LDP—Lossless MD5 Session Authentication feature allows an LDP session to be password-protected without tearing down and reestablishing the LDP session.

Old Style

New Style

R2(config)#mpls ldp neighbor 1.1.1.1 password 123
R2(config)#! 
R2(config-if)#interface Ethernet  1/0
R2(config-if)#  ip address 192.168.1.2  255.255.255.0
R2(config-if)#  mpls ip

R2(config)#access-list 99  permit 1.1.1.1
R2(config)#mpls ldp password required for 99
R2(config)#mpls ldp password option 1 for 99 KC
R2(config)#!
R2(config)#key chain KC
R2(config-keychain)#key 1
R2(config-keychain-key)#  key-string password
R2(config-keychain-key)#!
%LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UP

The disadvantage of using the old method is that when new password is required for a session,  this change would require the LDP session to be tear down. With this feature New passwords can be implemented/changed  without having to tear down the existing LDP session

KeyChain4LDP

A Networker Blog

My First EEM Applet Script


Cisco IOS Embedded Event Manager (EEM)
is a powerful tool integrated with Cisco IOS Software for system management from within the device itself. EEM offers the ability to monitor events and take informational, corrective, or any desired action when the monitored events occur or when a threshold is reached. Capturing the state of the router during such situations can be invaluable in taking immediate recovery actions and gathering information to perform root-cause analysis. Network availability is also improved if automatic recovery actions are performed without the need to fully reboot the routing device.

Ok let try to Prevent someone turning off Loopback Zero! 🙂

The Script:

event manager applet Lo0
event syslog occurs 2 pattern "Loopback0, changed state to admin"
action 1.0 syslog msg "Hey Someone shutdown my loopback0 - Turning it back on"
action 1.1 syslog msg "I am a Smart Router, i will turn my lo0 back up again"
action 1.2 cli command "enable"
action 1.3 cli command "configure ter"
action 1.4 cli command "int lo0"
action 1.5 cli command "no shut"
action 1.6 syslog msg "OK should be back up again"

EMMScript

Thanks to The Cisco Learning Network for this tip!

A Networker Blog

MPLS Traffic Engineering

MPLS TE allows the MPLS-enabled network to replicate and expand upon the TE capabilities of Layer 2 ATM and Frame Relay networks. MPLS uses the reachability information provided by Layer 3 routing protocols and operates like a Layer 2 ATM network. With MPLS, TE capabilities are integrated into Layer 3, which can be implemented for efficient bandwidth utilization between routers in the SP network.

image

MPLS traffic engineering automatically establishes and maintains the tunnel across the backbone, using RSVP. The path used by a given tunnel at any point in time is determined based on the tunnel resource requirements and network resources, such as bandwidth.

Available resources are flooded via extensions to a link-state based Interior Gateway Protocol  (IGP).

MPLS traffic engineering is built on the following IOS mechanisms:

  • Label-switched path (LSP) tunnels, which are signalled through RSVP, with traffic engineering extensions. LSP tunnels are represented as IOS tunnel interfaces, have a configured destination, and are unidirectional.
  • A link-state IGP (such as IS-IS) with extensions for the global flooding of resource information, and extensions for the automatic routing of traffic onto LSP tunnels as appropriate.
  • An MPLS traffic engineering path calculation module that determines paths to use for LSP tunnels.
  • An MPLS traffic engineering link management module that does link admission and bookkeeping of the resource information to be flooded.
  • Label switching forwarding, which provides routers with a Layer 2-like ability to direct traffic across multiple hops as directed by the resource-based routing algorithm.

image

All routers need to have the following configuration

image

OSPF must be configured to flood opaque LSA´s.   Like any other LSA, the Opaque LSA uses the link-state database distribution mechanism for flooding this information throughout the topology. so thought all devices we configured:

image

the Opaque LSA has a flooding scope associated with it so that the scope of flooding may be link-local (type 9), area-local (type 10) or the entire OSPF routing domain (type 11).  If you look at the ospf database on either of these routers now, you will see and entry for the new LSA types.

image

Each router creates a new Link ID for each link that traffic-eng is configured.

image

here we can see that the Maximum Bandwidth is 193000 bytes, but only 75% is available for bandwidth reservation.

now lets configure a tunnel

image54

here, we can confirm that the tunnel is operational and that it’s a dynamic tunnel

image

The tunnel runs over the directly connected interfaces between R1 and R5 because that’s the shortest path to the tunnel destination.

image

Now let see an explicit path configuration

image

image

A Networker Blog

MPLS LDP Time to Converge

When a link flaps, it could take a long time for LDP to reexchange labels, off course a network can use the FIB in the meanwhile, but this could present several problems with applications that leverage the use MPLS, line MPLS VPN to say at least one. With MPLS LDP Session Protection, we can provide faster LDP convergence when a link recovers from an outage, and this is done maintaining the LDP session for a period of time.

Now when a link fails, we know that in frame mode mpls LDP would store all the labels in the LIB, even if they are not used, this is because the IGP could decide to use another path, but the real problem here, comes into play when the link is recovered, when the IGP determines that the link is available could probably change the next hop is the path to reach the network is better. The problem here is the POP action used in the LFIB table of the router while the LDP tries to establish again the session, adding to our networks, more time to converge, since the LIB might not contain the label from the new next hop, by the time the IGP had converged.

We have 2 ways to solve the convergence issues that we are faced on flapping links, the first solution is to use MPLS LDP Session Protection and the second one is to use MPLS TE make before.

MPLS Fundamentals Book by Luc de Ghen CCIE 1897 states:

A common problem in networks is flapping links. The flapping of links can have several causes, but it is not the goal of this book to look deeper into this. Flapping links do have an important impact on the convergence of the network. Because the IGP adjacency and the LDP session are running across the link, they go down when the link goes down. This is unfortunate, especially because the link is usually not down for long. The impact is pretty severe though, because the routing protocol and LDP can take time to rebuild the neighborship. LDP has to rebuild the LDP session and must exchange the label bindings again. To avoid having to rebuild the LDP session altogether, you can protect it. When the LDP session between two directly connected LSRs is protected, a targeted LDP session is built between the two LSRs. When the directly connected link does go down between the two LSRs, the targeted LDP session is kept up as long as an alternative path exists between the two LSRs. The LDP link adjacency is removed when the link goes down, but the targeted adjacency keeps the LDP session up. When the link comes back up, the LSR does not need to re-establish the LDP session; therefore, the convergence is better. The global command to enable LDP Session Protection is this:

mpls ldp session protection [vrf vpn-name] [for acl] [duration seconds]

A Networker Blog

35 @ Sofia, Република България!

Pyramid_of_35_spheres_animation

35 is the sum of the first five triangular numbers, making it a tetrahedral number.

35 is a centered cube number, a pentagonal number and a pentatope number.

35 is a highly cototient number, since there are more solutions to the equation                 x – φ(x) = 35 than there are for any other integers below it except 1.

There are 35 hexominoes, the polyominoes made from 6 squares.

35 is a discrete semiprime (or biprime) (5 x 7); the tenth, and the first with 5 as the lowest non-unitary factor. The aliquot sum of 35 is 13 this being the second composite number with such an aliquot sum; the first being the cube 27. 35 is the last member of the first triple cluster of semiprimes 33,34,35. 85,86,87 is the second such triple discrete semiprime cluster.

Since the greatest prime factor of 352 + 1 = 1226 is 613, which is obviously more than 35 twice, 35 is a Størmer number.

35 is the highest number one can count to on one’s fingers using base 6.

and today, 35 years old!

CME SIP Trunk Configuration Example.


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CMERouter
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool ITS
network 192.168.9.0 255.255.255.0
option 150 ip 192.168.9.254
default-router 192.168.9.254
!
!
ip ftp username cisco
ip ftp password cisco
ip name-server 192.168.2.1
!
!
!
!
!
!
voice service voip
allow-connections sip to sip
sip
registrar server expires max 3600 min 600
!
!
!
!
!
!
!
!
!

voice translation-rule 6
rule 1 /^9/ //
!
voice translation-rule 666
rule 1 /300/ /17772028487/
!
!
voice translation-profile OUT
translate calling 666
translate called 6

!
!
!
!
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address 192.168.9.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.102 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
ip http server
no ip http secure-server
ip http path flash:
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 deny   ip 10.0.0.0 0.255.255.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.255.255.255 192.168.9.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
tftp-server flash:P00405000700.bin
tftp-server flash:P00405000700.sbn
tftp-server flash:P00308000500.bin
tftp-server flash:P00308000500.loads
tftp-server flash:P00308000500.sb2
tftp-server flash:P00308000500.sbn
!
control-plane
!
!
!
dial-peer voice 901 voip
translation-profile outgoing OUT
destination-pattern 9.T
session protocol sipv2
session target dns:callcentric.com
dtmf-relay sip-notify rtp-nte
codec g711ulaw
!
sip-ua
authentication username 17772028487 password 1313591A07 realm callcentric.com
no remote-party-id
retry invite 4
retry response 3
retry bye 2
retry cancel 2
retry register 5
timers register 250
registrar dns:callcentric.com expires 3600
sip-server dns:callcentric.com
!
!
telephony-service
max-ephones 10
max-dn 100
ip source-address 10.1.1.1 port 2000
calling-number local secondary
timeouts interdigit 2
create cnf-files version-stamp Jan 01 2002 00:00:00
max-conferences 4 gain -6
web admin system name cisco secret 5 $1$Z2bp$.Ty2WFXnYAi4j7SI5vBHG/
transfer-pattern .T
secondary-dialtone 9
!
!
ephone-dn  1  dual-line
number 300 secondary 17772028487
label CIPC
!
!
ephone  2
mac-address 0025.B370.971B
type CIPC
button  1:1
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
!
!
end

which results in:

A Networker Blog