15 Jul

Simple line card performance testing configuration (IOS XR)

It’s easy trick but I’m going to put it here anyway so anyone can use it and for me so I can easy find code when I need it 🙂 This is “snake” that is made traffic from generator go through all ports on line cards and between two line cards. It’s made for testing purposes in lab environment if you need to verify performance capability of ASR9K router (or any other runnin IOS XR in this case) for customer.
Read More

23 Apr

Secret changes in Cisco documentation (follow up on “No EIGRP neighbor authentication on ASR9K” post)

I received comment from Pushpasis Sarkar from Cisco on my previous post about lack of EIGRP authentication on ASR9k. It made me wonder if I missed something during deployment? I remember we were testing it hardly in lab and documentation stated clearly it’s not supported. I’m pretty sure, but 100%, that we were testing key chains both with and without defined lifetime and cryptographic-algorithm, because we were having some issues with IS-IS and key chains too. And it never worked.
Read More

03 Dec

Monitoring CPU usage over SNMP in IOS XR

SNMP on IOS XR is not documented at all right now in my opinion. Of course IOS XR supports standard base of MIB’s but if you want to monitor something platform specific it’s hard to guess which MIB you should use. SNMP Object Navigator on cisco.com does not know yet, there is such think as IOS XR or NX-OS.
I got this information from Cisco representative and I’m putting it here so you can use this too. I had to implement CPU usage monitoring on IOS XR for my customer, but unfortunately standard MIB’s were not working. On IOS XR you have to use cpmCPUTotalTable defined in CISCO-PROCESS-MIB

  cpmCPUTotalIndex          .1.3.6.1.4.1.9.9.109.1.1.1.1.1
  cpmCPUTotalPhysicalIndex  .1.3.6.1.4.1.9.9.109.1.1.1.1.2
  cpmCPUTotal1minRev        .1.3.6.1.4.1.9.9.109.1.1.1.1.7
  cpmCPUTotal5minRev        .1.3.6.1.4.1.9.9.109.1.1.1.1.8

cpmCPUTotalIndex is a unique value to identify each CPU but this is not fixed value. Then you need to check an entity with cpmCPUTotalPhysicalIndex as entPhysicalIndex.

Update: Same MIBs can be used to monitor supervisor usage on Nexus 7000

08 Nov

SSH is always running on ASR9K

On traditional IOS routers SSH is enable if you have K9 software, ssh server enabled and proper pair of key generated on device. It seems that IOS XR works differently. SSH is enabled and working even if you have no keys generated.
When you try to connect to such router you get following message:

Anomander:~ peper$ ssh [email protected]
no hostkey alg

and in router logs:

RP/0/RSP0/CPU0:ASR9K#RP/0/RSP0/CPU0:Oct 29 13:18:20.167 : SSHD_[65804]: %SECURITY-SSHD-3-ERR_ERRNO : Failed to retreive host key-pair No error

No error? Well, there is an error – no keys were generated. This is cosmetic, but would be nice if SSH wouldn’t work at all until proper keys are generated or no misleading error message would be displayed.

24 Oct

No EIGRP neighbor authentication on ASR9K

Cisco representative has tried to tell me lately there is feature parity between platforms on IOS XR. In general maybe there is, but in details not. My previous example about lack of GRE tunnels is not valid anymore as this feature has been added in release 3.9.2 on ASR 9000 routers. The configuration of GRE tunnels would not be commited previously because it was not supported.

Things are different when you try to implement authentication for EIGRP neighbors using key chains. This feature, according to official configuration guide, is not supported in IOS XR on ASR 9000 platform, but is supported on CRS-1. So the configuration like that should not be validated and commited

key chain test
 key 1
  key-string password 12345
!
router eigrp 65500
 address-family ipv4
  interface Bundle-Ether1.100
   authentication keychain test

To bad in this case, even if this feature is not supported, IOS XR CLI would let configuration to be commited. Just no neighborship will be established ever that link.

EIGRP authentication is not supported on 3.9 nor 4.0 release of IOS XR.

07 Oct

Different default BGP prefix policy on ASR9k

ASR9000 and it’s IOS XR required administrator to apply routing policy for every neighbor. This behavior is different from IOS where if no policy were applied router accepts and sends all prefixes without limitation. So if we make following configuration:

router bgp 65374
  neighbor 10.129.11.51
  remote-as 1234
  ebgp-multihop 10
  update-source Bundle-Ether1.260
  graceful-restart
  address-family ipv4 unicast
   soft-reconfiguration inbound always

router will inform us, that no prefixes will be send nor received on this session

RP/0/RSP0/CPU0:Aug 20 08:56:13.388 : bgp[137]: %ROUTING-BGP-6-NBR_NOPOLICY : No inbound IPv4 Unicast policy is configured for eBGP neighbor 10.129.11.51. 
No IPv4 Unicast prefixes will be accepted from the neighbor until inbound policy is configured. 
RP/0/RSP0/CPU0:Aug 20 08:56:13.388 : bgp[137]: %ROUTING-BGP-6-NBR_NOPOLICY : No outbound IPv4 Unicast policy is configured for eBGP neighbor 10.129.11.51. 
No IPv4 Unicast prefixes will be sent to the neighbor until outbound policy is configured. 

So proper configuration always have to contain policy attached to neighbor in proper address-family. In following example we’re making router send and accept all prefixes

route-policy Accept-All
  pass
end-policy
!
router bgp 65374
 neighbor 10.129.11.51
  remote-as 1234
  ebgp-multihop 10
  update-source Bundle-Ether1.260
  address-family ipv4 unicast
   route-policy Accept-All in
   route-policy Accept-All out
   soft-reconfiguration inbound always

update: As my friend considered this is default behavior for eBGP peers only, for iBGP it works like in in standard IOS and all prefixes are passed to neighbors by default.

21 Aug

No GRE tunnels on ASR9k (yet)

This was quite surprising and unpleasant surprise – IOS XR on ASR9k is not supporting GRE tunnels at the moment. It’s supporting IPSec and MPLS-TE but not GRE which is one of main and commonly used tunneling technique. You can define tunnel-ip interface but you can’t define source and destination handlers. GRE support is supposed to be in IOS XR 4.0 that might be released at the end of the year, but with Cisco you never know that.

This is what happens when you try to commit incomplete GRE tunnel configuration

RP/0/RSP0/CPU0:Aug 20 07:54:57.239 : tunl_gre_ma[426]: %FORWARDING-IP_TUNNEL-4-INIT : Tunnel-IP MA process failed to initialize platform tunnel IDs: 'Not supported' 
RP/0/RSP0/CPU0:Aug 20 07:54:57.913 : sysmgr[94]: tunl_gre_ma(1) (jid 426) (pid 430354) (fail_count 1) abnormally terminated, restart scheduled 
RP/0/RSP0/CPU0:Aug 20 07:54:57.913 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(1) (jid 426) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Aug 20 07:54:57.915 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(426) (fail count 1) will be respawned in 10 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:57.915 : sysmgr[94]: %OS-SYSMGR-7-DEBUG : Feature:tunl_gre_ma tunl_gre_ma[426] (pid 430354) has not sent proc-ready within 90 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.021 : tunl_gre_ma[426]: %FORWARDING-IP_TUNNEL-4-INIT : Tunnel-IP MA process failed to initialize platform tunnel IDs: 'Not supported' 
RP/0/RSP0/CPU0:Aug 20 07:54:58.742 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(1) (jid 426) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Aug 20 07:54:58.741 : sysmgr[94]: tunl_gre_ma(1) (jid 426) (pid 434450) (fail_count 1) abnormally terminated, restart scheduled 
RP/0/RSP0/CPU0:Aug 20 07:54:58.744 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(426) (fail count 1) will be respawned in 10 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.744 : sysmgr[94]: %OS-SYSMGR-7-DEBUG : Feature:tunl_gre_ma tunl_gre_ma[426] (pid 434450) has not sent proc-ready within 90 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.747 : sysdb_svr_local[408]: %SYSDB-SYSDB-7-STARTUP : Startup request for 'cfg/if/act/tunnel-ip666/v' from 'config' (jid 65808) failed for a process on a slow starting node 

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
26 May

E-OAM loopback on ASR9k

There are two things that we have to do to enable E-OAM: configure oam profile that will define way OAM will work and attach that profile to physical interface. OAM’s are not working on subinterfaces. In action section you define what action will router take when particular error occurs, in this example interface will be put in err-disable state.
Read More

11 May

Creating EoMPLS on ASR9k

Process of defining E-Line connections, either local or as EoMPLS, consists of two steps – creation of EFP’s (Ethernet Flow Point) and defining xconnect between them. Each EFP represents one customer service demarcation point and can be in example physical subinterface or bundle. Connection between EFP’s can be either local, if both ESP’s are in the same chassis (same or different line cards) or EoMPLS link.
Read More