Routing Archives - Page 3 of 4 - IT Playground Blog

01 Feb

WAAS Express on ISR G2

WAAS (Wide Area Application Services) has been introduced to market few years ago. It was used to increase performance of low bandwidth links with high delays or jitter. Main disadvantage of this solution was that it required at least 3 components -central manager and two accelerators which could be external or as a router module. But it was all hardware solution. With introduction of WAAS Express introduced in IOS 15.1(2)T some form of acceleration can be provided on software basis.
Read More →

01 Dec

ACL Based Forwarding (ABF) on IOS XR

With IOS XR traditional policy-based routing (PBR) is a history. You can’t attach ip policy to interface or subinterface anymore, yet PRB is common if you have to send traffic regardless of routing protocol. With IOS XR new feature is coming – ACL-Based Forwarding (ABF)
Read More →

08 Nov

SSH is always running on ASR9K

On traditional IOS routers SSH is enable if you have K9 software, ssh server enabled and proper pair of key generated on device. It seems that IOS XR works differently. SSH is enabled and working even if you have no keys generated.
When you try to connect to such router you get following message:

Anomander:~ peper$ ssh [email protected]
no hostkey alg

and in router logs:

RP/0/RSP0/CPU0:ASR9K#RP/0/RSP0/CPU0:Oct 29 13:18:20.167 : SSHD_[65804]: %SECURITY-SSHD-3-ERR_ERRNO : Failed to retreive host key-pair No error

No error? Well, there is an error – no keys were generated. This is cosmetic, but would be nice if SSH wouldn’t work at all until proper keys are generated or no misleading error message would be displayed.

24 Oct

No EIGRP neighbor authentication on ASR9K

Cisco representative has tried to tell me lately there is feature parity between platforms on IOS XR. In general maybe there is, but in details not. My previous example about lack of GRE tunnels is not valid anymore as this feature has been added in release 3.9.2 on ASR 9000 routers. The configuration of GRE tunnels would not be commited previously because it was not supported.

Things are different when you try to implement authentication for EIGRP neighbors using key chains. This feature, according to official configuration guide, is not supported in IOS XR on ASR 9000 platform, but is supported on CRS-1. So the configuration like that should not be validated and commited

key chain test
 key 1
  key-string password 12345
!
router eigrp 65500
 address-family ipv4
  interface Bundle-Ether1.100
   authentication keychain test

To bad in this case, even if this feature is not supported, IOS XR CLI would let configuration to be commited. Just no neighborship will be established ever that link.

EIGRP authentication is not supported on 3.9 nor 4.0 release of IOS XR.

07 Oct

Different default BGP prefix policy on ASR9k

ASR9000 and it’s IOS XR required administrator to apply routing policy for every neighbor. This behavior is different from IOS where if no policy were applied router accepts and sends all prefixes without limitation. So if we make following configuration:

router bgp 65374
  neighbor 10.129.11.51
  remote-as 1234
  ebgp-multihop 10
  update-source Bundle-Ether1.260
  graceful-restart
  address-family ipv4 unicast
   soft-reconfiguration inbound always

router will inform us, that no prefixes will be send nor received on this session

RP/0/RSP0/CPU0:Aug 20 08:56:13.388 : bgp[137]: %ROUTING-BGP-6-NBR_NOPOLICY : No inbound IPv4 Unicast policy is configured for eBGP neighbor 10.129.11.51. 
No IPv4 Unicast prefixes will be accepted from the neighbor until inbound policy is configured. 
RP/0/RSP0/CPU0:Aug 20 08:56:13.388 : bgp[137]: %ROUTING-BGP-6-NBR_NOPOLICY : No outbound IPv4 Unicast policy is configured for eBGP neighbor 10.129.11.51. 
No IPv4 Unicast prefixes will be sent to the neighbor until outbound policy is configured.

So proper configuration always have to contain policy attached to neighbor in proper address-family. In following example we’re making router send and accept all prefixes

route-policy Accept-All
  pass
end-policy
!
router bgp 65374
 neighbor 10.129.11.51
  remote-as 1234
  ebgp-multihop 10
  update-source Bundle-Ether1.260
  address-family ipv4 unicast
   route-policy Accept-All in
   route-policy Accept-All out
   soft-reconfiguration inbound always

update: As my friend considered this is default behavior for eBGP peers only, for iBGP it works like in in standard IOS and all prefixes are passed to neighbors by default.

21 Aug

No GRE tunnels on ASR9k (yet)

This was quite surprising and unpleasant surprise – IOS XR on ASR9k is not supporting GRE tunnels at the moment. It’s supporting IPSec and MPLS-TE but not GRE which is one of main and commonly used tunneling technique. You can define tunnel-ip interface but you can’t define source and destination handlers. GRE support is supposed to be in IOS XR 4.0 that might be released at the end of the year, but with Cisco you never know that.

This is what happens when you try to commit incomplete GRE tunnel configuration

RP/0/RSP0/CPU0:Aug 20 07:54:57.239 : tunl_gre_ma[426]: %FORWARDING-IP_TUNNEL-4-INIT : Tunnel-IP MA process failed to initialize platform tunnel IDs: 'Not supported' 
RP/0/RSP0/CPU0:Aug 20 07:54:57.913 : sysmgr[94]: tunl_gre_ma(1) (jid 426) (pid 430354) (fail_count 1) abnormally terminated, restart scheduled 
RP/0/RSP0/CPU0:Aug 20 07:54:57.913 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(1) (jid 426) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Aug 20 07:54:57.915 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(426) (fail count 1) will be respawned in 10 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:57.915 : sysmgr[94]: %OS-SYSMGR-7-DEBUG : Feature:tunl_gre_ma tunl_gre_ma[426] (pid 430354) has not sent proc-ready within 90 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.021 : tunl_gre_ma[426]: %FORWARDING-IP_TUNNEL-4-INIT : Tunnel-IP MA process failed to initialize platform tunnel IDs: 'Not supported' 
RP/0/RSP0/CPU0:Aug 20 07:54:58.742 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(1) (jid 426) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Aug 20 07:54:58.741 : sysmgr[94]: tunl_gre_ma(1) (jid 426) (pid 434450) (fail_count 1) abnormally terminated, restart scheduled 
RP/0/RSP0/CPU0:Aug 20 07:54:58.744 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(426) (fail count 1) will be respawned in 10 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.744 : sysmgr[94]: %OS-SYSMGR-7-DEBUG : Feature:tunl_gre_ma tunl_gre_ma[426] (pid 434450) has not sent proc-ready within 90 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.747 : sysdb_svr_local[408]: %SYSDB-SYSDB-7-STARTUP : Startup request for 'cfg/if/act/tunnel-ip666/v' from 'config' (jid 65808) failed for a process on a slow starting node 

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors

23 Jul

BGP Unknown path error on ASR1000

In some situations you can see following error message while trying to establish BGP neighborship

%BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session  Unknown path error

This can be misconfiguration or internal bug described (or rather just mentioned because I’d say bug description is almost empty) in CSCsy10339 bug ticket if you are using release prior to 12.2(33)XNE. If this is misconfiguration you’d rather expect error message like

%BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session  Peer closed the session

. This can be quite confusing and leads to looking for problem elsewhere than it exists.

26 May

E-OAM loopback on ASR9k

There are two things that we have to do to enable E-OAM: configure oam profile that will define way OAM will work and attach that profile to physical interface. OAM’s are not working on subinterfaces. In action section you define what action will router take when particular error occurs, in this example interface will be put in err-disable state.
Read More →

11 May

Creating EoMPLS on ASR9k

Process of defining E-Line connections, either local or as EoMPLS, consists of two steps – creation of EFP’s (Ethernet Flow Point) and defining xconnect between them. Each EFP represents one customer service demarcation point and can be in example physical subinterface or bundle. Connection between EFP’s can be either local, if both ESP’s are in the same chassis (same or different line cards) or EoMPLS link.
Read More →

06 Apr

DHCPv6 service

On IOS routers you can disable built-in DHCP server issuing command

no service dhcp

you should expect that it will disable whole DHCP service no matter what protocol it’s going to service. Wellm you are wrong. It disable only IPv4 DHCP service leaving IPv6 one still running. Therefor following configuration

ipv6 dhcp pool IPv6
 dns-server FC00:2::D911:220A
!
interface GigabitEthernet0/0
  ipv6 address FC00:3::1/64
  ipv6 nd other-config-flag
  ipv6 dhcp server IPv6

will still work and built-in DHCP server will assign DNS information to requesting IPv6 host.

IT Playground Blog

Network Security Automation Cloud IoT

Category Archives: Routing