Uncategorized Archives - Page 7 of 9

08 Nov

SSH is always running on ASR9K

On traditional IOS routers SSH is enable if you have K9 software, ssh server enabled and proper pair of key generated on device. It seems that IOS XR works differently. SSH is enabled and working even if you have no keys generated.
When you try to connect to such router you get following message:

Anomander:~ peper$ ssh [email protected]
no hostkey alg

and in router logs:

RP/0/RSP0/CPU0:ASR9K#RP/0/RSP0/CPU0:Oct 29 13:18:20.167 : SSHD_[65804]: %SECURITY-SSHD-3-ERR_ERRNO : Failed to retreive host key-pair No error

No error? Well, there is an error – no keys were generated. This is cosmetic, but would be nice if SSH wouldn’t work at all until proper keys are generated or no misleading error message would be displayed.

24 Oct

No EIGRP neighbor authentication on ASR9K

Cisco representative has tried to tell me lately there is feature parity between platforms on IOS XR. In general maybe there is, but in details not. My previous example about lack of GRE tunnels is not valid anymore as this feature has been added in release 3.9.2 on ASR 9000 routers. The configuration of GRE tunnels would not be commited previously because it was not supported.

Things are different when you try to implement authentication for EIGRP neighbors using key chains. This feature, according to official configuration guide, is not supported in IOS XR on ASR 9000 platform, but is supported on CRS-1. So the configuration like that should not be validated and commited

key chain test
 key 1
  key-string password 12345
!
router eigrp 65500
 address-family ipv4
  interface Bundle-Ether1.100
   authentication keychain test

To bad in this case, even if this feature is not supported, IOS XR CLI would let configuration to be commited. Just no neighborship will be established ever that link.

EIGRP authentication is not supported on 3.9 nor 4.0 release of IOS XR.

07 Oct

Different default BGP prefix policy on ASR9k

ASR9000 and it’s IOS XR required administrator to apply routing policy for every neighbor. This behavior is different from IOS where if no policy were applied router accepts and sends all prefixes without limitation. So if we make following configuration:

router bgp 65374
  neighbor 10.129.11.51
  remote-as 1234
  ebgp-multihop 10
  update-source Bundle-Ether1.260
  graceful-restart
  address-family ipv4 unicast
   soft-reconfiguration inbound always

router will inform us, that no prefixes will be send nor received on this session

RP/0/RSP0/CPU0:Aug 20 08:56:13.388 : bgp[137]: %ROUTING-BGP-6-NBR_NOPOLICY : No inbound IPv4 Unicast policy is configured for eBGP neighbor 10.129.11.51. 
No IPv4 Unicast prefixes will be accepted from the neighbor until inbound policy is configured. 
RP/0/RSP0/CPU0:Aug 20 08:56:13.388 : bgp[137]: %ROUTING-BGP-6-NBR_NOPOLICY : No outbound IPv4 Unicast policy is configured for eBGP neighbor 10.129.11.51. 
No IPv4 Unicast prefixes will be sent to the neighbor until outbound policy is configured.

So proper configuration always have to contain policy attached to neighbor in proper address-family. In following example we’re making router send and accept all prefixes

route-policy Accept-All
  pass
end-policy
!
router bgp 65374
 neighbor 10.129.11.51
  remote-as 1234
  ebgp-multihop 10
  update-source Bundle-Ether1.260
  address-family ipv4 unicast
   route-policy Accept-All in
   route-policy Accept-All out
   soft-reconfiguration inbound always

update: As my friend considered this is default behavior for eBGP peers only, for iBGP it works like in in standard IOS and all prefixes are passed to neighbors by default.

25 Aug

vPC peer-link on Nexus switches

On Catalyst 6500 platform we had VSS technology that provides redundancy of uplinks with single spanning-tree point. Pair of Nexus switches cannot be one logical devices but with vPC technology those can act as singe spanning-tree point. Idea of redundancy is pretty much similar – downstream switch have two bundled uplinks, one to each uplink switches. If one of links of switches fails traffic is still forwarded using second link. This technology on Nexus switches is called vPC (Virtual PortChannel).
Read More →

21 Aug

No GRE tunnels on ASR9k (yet)

This was quite surprising and unpleasant surprise – IOS XR on ASR9k is not supporting GRE tunnels at the moment. It’s supporting IPSec and MPLS-TE but not GRE which is one of main and commonly used tunneling technique. You can define tunnel-ip interface but you can’t define source and destination handlers. GRE support is supposed to be in IOS XR 4.0 that might be released at the end of the year, but with Cisco you never know that.

This is what happens when you try to commit incomplete GRE tunnel configuration

RP/0/RSP0/CPU0:Aug 20 07:54:57.239 : tunl_gre_ma[426]: %FORWARDING-IP_TUNNEL-4-INIT : Tunnel-IP MA process failed to initialize platform tunnel IDs: 'Not supported' 
RP/0/RSP0/CPU0:Aug 20 07:54:57.913 : sysmgr[94]: tunl_gre_ma(1) (jid 426) (pid 430354) (fail_count 1) abnormally terminated, restart scheduled 
RP/0/RSP0/CPU0:Aug 20 07:54:57.913 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(1) (jid 426) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Aug 20 07:54:57.915 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(426) (fail count 1) will be respawned in 10 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:57.915 : sysmgr[94]: %OS-SYSMGR-7-DEBUG : Feature:tunl_gre_ma tunl_gre_ma[426] (pid 430354) has not sent proc-ready within 90 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.021 : tunl_gre_ma[426]: %FORWARDING-IP_TUNNEL-4-INIT : Tunnel-IP MA process failed to initialize platform tunnel IDs: 'Not supported' 
RP/0/RSP0/CPU0:Aug 20 07:54:58.742 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(1) (jid 426) exited, will be respawned with a delay (slow-restart)   
RP/0/RSP0/CPU0:Aug 20 07:54:58.741 : sysmgr[94]: tunl_gre_ma(1) (jid 426) (pid 434450) (fail_count 1) abnormally terminated, restart scheduled 
RP/0/RSP0/CPU0:Aug 20 07:54:58.744 : sysmgr[94]: %OS-SYSMGR-3-ERROR : tunl_gre_ma(426) (fail count 1) will be respawned in 10 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.744 : sysmgr[94]: %OS-SYSMGR-7-DEBUG : Feature:tunl_gre_ma tunl_gre_ma[426] (pid 434450) has not sent proc-ready within 90 seconds  
RP/0/RSP0/CPU0:Aug 20 07:54:58.747 : sysdb_svr_local[408]: %SYSDB-SYSDB-7-STARTUP : Startup request for 'cfg/if/act/tunnel-ip666/v' from 'config' (jid 65808) failed for a process on a slow starting node 

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors

29 Jul

Where is ‘wr’ on NX-OS

write memory or wr shortly is one of most used commands on IOS devices. It’s short, simple and quick to execute. Who would like to write copy running-config startup-config every time?
Unfortunately on NX-OS wr is no more. I don’t really understand why developers decided to remove that command. Thankfully it can be restored using aliases

N7K(config)# cli alias name wr copy running-config startup-config

23 Jul

BGP Unknown path error on ASR1000

In some situations you can see following error message while trying to establish BGP neighborship

%BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session  Unknown path error

This can be misconfiguration or internal bug described (or rather just mentioned because I’d say bug description is almost empty) in CSCsy10339 bug ticket if you are using release prior to 12.2(33)XNE. If this is misconfiguration you’d rather expect error message like

%BGP_SESSION-5-ADJCHANGE: neighbor 192.168.0.2 IPv4 Unicast topology base removed from session  Peer closed the session

. This can be quite confusing and leads to looking for problem elsewhere than it exists.

23 Jun

ICMPv6 and IPv6 security thoughts

About a month ago I gave speech on Confidence 2010 conference (check it out, really good event http://www.confidence.org.pl) about lack of security in IPv6/ICMPv6. Feel free to look at presentation from my session (also attached to this post), video should be available soon. Feedback as usual highly welcomed 🙂

Presentation: ICMPv6 Security

21 Jun

Interface monitoring in EEM

EEM (Embedded Event Manager) is quite nice feature on IOS platforms allowing administrator to configure router behavior during predefined events. Usually it’s connected with IP SLA – if probes returns negative value appropriate applet is executed. But EEM itself can be used for deeper interface and link monitoring than IP SLA allows with it’s probes
Read More →

26 May

E-OAM loopback on ASR9k

There are two things that we have to do to enable E-OAM: configure oam profile that will define way OAM will work and attach that profile to physical interface. OAM’s are not working on subinterfaces. In action section you define what action will router take when particular error occurs, in this example interface will be put in err-disable state.
Read More →

IT Playground Blog

Network Security Automation Cloud IoT

Category Archives: Uncategorized