Thursday, February 6, 2014

NTS: Other

Other




These topics are not considered critical because they aren't usually used as a base for something else, but they can easily give you some points if configured correctly.

Having a general idea is probably enough, as long as you know where to look in the documentation for the details.



MAC accounting

Use it to collect statistics about traffic per mac address.

IOS
interface FastEthernet0/0
 ip accounting mac-address input
 ip accounting mac-address output



IOS-XR
interface TenGigE0/2/0/0
 mac-accounting ingress
 mac-accounting egress





IP/precedence accounting

Use it to collect statistics about traffic per ip address or per ip precedence.

IOS
R3(config-subif)#ip accounting ?
  access-violations  Account for IP packets violating access lists on this
                     interface
  output-packets     Account for IP packets output on this interface
  precedence         Count packets by IP precedence on this interface
  <cr>


IOS
R3(config)#ip ?
Global IP configuration subcommands:
...
  accounting-list         Select hosts for which IP accounting information is
                          kept
  accounting-threshold    Sets the maximum number of accounting entries
  accounting-transits     Sets the maximum number of transit entries

...




carrier-delay

For fast convergence use low (or 0) timers, especially for the down timer.
For cpu optimization (after routing instability due to small interface flaps) use higher timers.

i.e. if there is a backup circuit available:

IOS
interface FastEthernet0/0
 carrier-delay msec 50



IOS-XR
interface TenGigE0/2/0/0
 carrier-delay down 0 up 3000




IP event dampening

It's a mechanism to suppress the effects of excessive interface flapping events on routing protocols and routing tables.

Parameters:
  • half-life period
    • the penalty is reduced by half after each half-life period (assuming the interface has stopped flapping)
    • default: 5 sec
  • reuse threshold
    • when the penalty drops to the reuse threshold, the route is unsuppressed
    • default: 1000 penalties
  • suppress threshold
    • when the accumulated penalty reaches the suppress threshold, the interface is placed in the dampened state and the route is suppressed
    • default: 2000 penalties
  • max suppress
    • the maximum amount of time an interface can remain dampened when a penalty is assigned to it
    • default: 4 x half-life sec 
  • restart penalty
    • initial penalty applied to an interface when it comes up after a router reload
    • default: 2000 penalties
In Cisco software, default penalty is 1000.


IOS
interface FastEthernet0/0
 dampening 30 2000 5000 60



R3#sh interfaces dampening
FastEthernet0/0
  Flaps Penalty    Supp ReuseTm   HalfL  ReuseV   SuppV  MaxSTm    MaxP Restart
      0       0   FALSE       0      30    2000    5000      60    8000       0



IOS-XR
interface TenGigE0/2/0/0
 dampening 1 2000 5000 2



IOS-XR half-life and max-suppress values are in mins, while in IOS they are in secs.

Use "debug dampening interface" to verify the dampening procedure.



preconfigure interfaces

If you don't have the actual linecards and/or interfaces, you can use preconfiguration in order to create interfaces in advance, which is a nice way of testing configurations.

IOS-XR
CRS(config)#int preconfigure pos ?
  R/S/I/P  Preconfig interface in Rack/Slot/Instance/Port format



Type-7 passwords

You can use a key-chain to recover a type 7 password.



NAT

"sh ip nat translations" shows translation for both global routing table and VRFs.

You can use "ip nat inside" on an interface even when the traffic passing through it is labeled.




IP SLA

IP SLA uses active traffic monitoring for measuring network performance.

The information collected includes data about:
  • response time
  • one-way latency
  • jitter
  • packet loss
  • voice quality scoring
  • network resource availability
  • application performance
  • server response time

Configuration Steps
  • Enable the IP SLAs responder (if required)
  • Configure the required IP SLAs operation type
  • Configure any options available for the specified IP SLAs operation type
  • Configure threshold conditions (if required)
  • Schedule the operation to run
  • Collect the statistics

You can use the following command to find the supported operation types to use for SLA:

IOS
R1#sh ip sla application
        IP Service Level Agreement Technologies
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-II

Supported Operation Types:
        802.1agEcho VLAN, EVC, Port, 802.1agJitter VLAN, EVC, Port
        dhcp, dns, echo, ftp, http, jitter, lspGroup, lspPing
        lspPingPseudowire, lspTrace, , pathEcho, pathJitter
        tcpConnect, udpEcho
Supported Features:
        IPSLAs Event Publisher



Common parameters:
  • frequency (sec)
    • the rate at which a specified IP SLAs operation repeats
  • request-data-size (bytes)
    • the protocol data size in the payload of an IP SLAs operation's request packet
  • threshold (msec)
    • the upper threshold value for calculating network monitoring statistics
  • timeout (msec)
    • the amount of time an IP SLAs operation waits for a response from its request packet

It's obvious that if you set the timeout < threshold, then you'll never get over-threshold statistics.

Configuration

IOS
ip sla 1
 icmp-echo 2.2.2.2

 timeout 40
 threshold 20
 frequency 30
ip sla schedule 1 life 600 start-time now



Verification

IOS
R1#sh ip sla statistics detail

Round Trip Time (RTT) for       Index 1
Type of operation: icmp-echo
        Latest RTT: 20 ms
Latest operation start time: *13:25:14.311 UTC Sun Jan 26 2014
Latest operation return code: OK
Over thresholds occurred: FALSE
Number of successes: 1
Number of failures: 0
Operation time to live: 588 sec
Operational state of entry: Active
Last time this entry was reset: *13:25:14.307 UTC Sun Jan 26 2014


R1#sh ip sla statistics detail

Round Trip Time (RTT) for       Index 1
Type of operation: icmp-echo
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *13:25:44.311 UTC Sun Jan 26 2014
Latest operation return code: Timeout
Over thresholds occurred: FALSE
Number of successes: 1
Number of failures: 1
Operation time to live: 549 sec
Operational state of entry: Active
Last time this entry was reset: *13:25:14.307 UTC Sun Jan 26 2014


R1#sh ip sla statistics detail

Round Trip Time (RTT) for       Index 1
Type of operation: icmp-echo
        Latest RTT: 24 ms
Latest operation start time: *13:26:44.311 UTC Sun Jan 26 2014
Latest operation return code: Over threshold
Over thresholds occurred: TRUE
Number of successes: 1
Number of failures: 3
Operation time to live: 505 sec
Operational state of entry: Active
Last time this entry was reset: *13:25:14.307 UTC Sun Jan 26 2014



If you want to change the parameters of an already running sla operation, you have to remove its schedule first and then change it.

If you want to change the type of an already existing sla operation, you have to remove it completely and start over.


IP SLA Responder

The IP SLA Responder listens on a specific port (UDP 1967) for control protocol messages sent by a IP SLAs operation. Upon receipt of the control message, the responder will enable the specified UDP or TCP port for the specified duration.

It can help avoid measuring the processing delay and provide larger accuracy, because it allows the target device to take two time stamps both when the packet arrives on the interface at interrupt level and again just as it is leaving, eliminating the processing time.

To capture one-way delay measurements, NTP must be enabled on both the source router and target router and their clocks need to be synchronized to the same clock source (with the ability to configure a clock tolerance for operations with microsecond precision). One-way jitter measurements do not require clock synchronization.

Configuration

R1

IOS
ip sla 2
 udp-jitter 2.2.2.2 4444
 timeout 2000
 frequency 30
ip sla schedule 2 life 300 start-time now


R2

IOS
ip sla responder


Verification

IOS
R1#sh ip sla statistics detail

Round Trip Time (RTT) for       Index 2
Type of operation: jitter
        Latest RTT: 22 ms
Latest operation start time: *13:41:02.579 UTC Sun Jan 26 2014
Latest operation return code: OK
RTT Values
        Number Of RTT: 10
        RTT Min/Avg/Max: 5/22/37 ms
Latency one-way time milliseconds
        Number of Latency one-way Samples: 0
        Source to Destination Latency one way Min/Avg/Max: 0/0/0 ms
        Destination to Source Latency one way Min/Avg/Max: 0/0/0 ms
        Source to Destination Latency one way Sum/Sum2: 0/0
        Destination to Source Latency one way Sum/Sum2: 0/0
Jitter time milliseconds
        Number of SD Jitter Samples: 9
        Number of DS Jitter Samples: 9
        Source to Destination Jitter Min/Avg/Max: 1/10/24 ms
        Destination to Source Jitter Min/Avg/Max: 0/5/20 ms
        Source to destination positive jitter Min/Avg/Max: 3/10/24 ms
        Source to destination positive jitter Number/Sum/Sum2: 3/31/601
        Source to destination negative jitter Min/Avg/Max: 1/9/16 ms
        Source to destination negative jitter Number/Sum/Sum2: 6/55/699
        Destination to Source positive jitter Min/Avg/Max: 1/6/20 ms
        Destination to Source positive jitter Number/Sum/Sum2: 4/25/411
        Destination to Source negative jitter Min/Avg/Max: 1/5/13 ms
        Destination to Source negative jitter Number/Sum/Sum2: 4/20/190
        Interarrival jitterout: 0       Interarrival jitterin: 0
        Over thresholds occurred: FALSE
Packet Loss Values
        Loss Source to Destination: 0           Loss Destination to Source: 0
        Out Of Sequence: 0      Tail Drop: 0    Packet Late Arrival: 0
        Packet Skipped: 0
Voice Score Values
        Calculated Planning Impairment Factor (ICPIF): 0
        Mean Opinion Score (MOS): 0
Number of successes: 3
Number of failures: 0
Operation time to live: 214 sec
Operational state of entry: Active
Last time this entry was reset: *13:40:02.531 UTC Sun Jan 26 2014



IOS 
R2#sh ip sla responder
IP SLAs Responder is: Enabled
Number of control message received: 4 Number of errors: 0
Recent sources:
        169.254.12.1 [13:41:32.131 UTC Sun Jan 26 2014]
        169.254.12.1 [13:41:02.159 UTC Sun Jan 26 2014]
        169.254.12.1 [13:40:32.143 UTC Sun Jan 26 2014]
        169.254.12.1 [13:40:02.123 UTC Sun Jan 26 2014]
Recent error sources:



IP SLA for MPLS VPN

No major difference exists, you just need to define the VRF to be used for connectivity. Also it's good practice to also define the source address of the operation.

Configuration

IOS
ip sla 3
 path-echo 10.0.0.2 source-ip 10.0.0.1
 vrf VPN
 frequency 30
ip sla schedule 3 life 300 start-time now



Verification

IOS
R1#sh ip sla statistics detail

Round Trip Time (RTT) for       Index 3
Type of operation: path-echo
        Latest RTT: 60 ms
Latest operation start time: *14:01:35.903 UTC Sun Jan 26 2014
Latest operation return code: OK
Over thresholds occurred: FALSE
Number of successes: 10
Number of failures: 0
Operation time to live: 0
Operational state of entry: Inactive
Last time this entry was reset: *13:57:05.899 UTC Sun Jan 26 2014



You can always use the following command to verify your IP SLA setup and view the default values of all parameters not explicitly configured:

IOS
R1#sh ip sla configuration 3
IP SLAs, Infrastructure Engine-II.

Entry number: 3
Owner:
Tag:
Type of operation to perform: path-echo
Target address/Source address: 10.0.0.2/10.0.0.1

Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Loose Source Routing: Disabled
Vrf Name: VPN
LSR Path:
Schedule:
    Operation frequency (seconds): 30
    Next Scheduled Start Time: Start Time already passed
    Group Scheduled : FALSE
    Randomly Scheduled : FALSE
    Life (seconds): 300
    Entry Ageout (seconds): never
    Recurring (Starting Everyday): FALSE
    Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
    Number of statistic hours kept: 2
    Number of statistic paths kept: 5
    Number of statistic hops kept: 16
    Number of statistic distribution buckets kept: 1
    Statistic distribution interval (milliseconds): 20
History Statistics:
    Number of history Lives kept: 0
    Number of history Buckets kept: 15
    Number of history Samples kept: 16
    History Filter Type: None





Netflow

Netflow can help in:
  • network application and user monitoring
  • network analysis and planning
  • security analysis, accounting and billing
  • traffic engineering
  • data warehousing and data mining

Netflow key fields:
  • Source IP address
  • Destination IP address
  • Source port number
  • Destination port number
  • Layer 3 protocol type
  • Type of service (ToS)
  • Input logical interface

Netflow versions
  • v1
    • initial version
  • v5
    • adds support for ASN and flow sequence numbers
  • v7
    • special version for old C6k releases
  • v8
    • adds support for aggregation caches
  • v9
    • adds support for new fields and record types using templates
    • adds support for IPv6, multicast, MPLS and BGP next hop
  • v10
    • aka IPFIX

 v1, v5, v9 are the most common ones.

IPFIX (an IETF standard) is based on netflow v9.


IOS
interface FastEthernet0/0.34
 ip flow ingress
 ip flow egress



IOS
R3#sh ip cache flow
IP packet size distribution (20 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .550 .200 .000 .250 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  4 active, 65532 inactive, 14 added
  219 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
  0 active, 16384 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-BGP              1      0.0         2    49      0.0      11.7      15.0
UDP-other            8      0.0         1    28      0.0       0.0      15.3
ICMP                 1      0.0         5   100      0.0       8.0      15.8

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Total:              10      0.0         1    54      0.0       1.9      15.4

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/0.37      34.3.7.7        Fa0/0.34*     46.0.0.8        11 C013 829F     1
Fa0/0.37      34.3.7.7        Fa0/0.34*     46.0.0.8        11 C012 829E     1
Fa0/0.37      34.3.7.7        Fa0/0.34*     46.0.0.8        11 C011 829D     1
Fa0/0.34      169.254.34.4    Local         169.254.34.3    06 5415 00B3     2



When using netflow v9, you can include the BGP next-hop with either the peer-as or the origin-as.

IOS
ip flow-export version 9 origin-as bgp-nexthop
ip flow-export destination 34.0.0.7 3333


IOS
R3#sh ip flow export
Flow export v9 is enabled for main cache
  Export source and destination details :
  VRF ID : Default
    Destination(1)  34.0.0.7 (3333)
  Version 9 flow records, peer-as bgp-nexthop
  5 flows exported in 2 udp datagrams
  0 flows failed due to lack of export packet
  0 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures



You can also define the duration of active/inactive flows before they are exported.

You need to find the right balance between short and large timeouts, taking into account the cache size and the cpu load.

IOS
ip flow-cache timeout inactive 30
ip flow-cache timeout active 10



Various options are also available for aggregation caches:

IOS
R3(config)#ip flow-aggregation cache ?
  as                      AS aggregation
  as-tos                  AS-TOS aggregation
  bgp-nexthop-tos         BGP nexthop TOS aggregation
  destination-prefix      Destination Prefix aggregation
  destination-prefix-tos  Destination Prefix TOS aggregation
  prefix                  Prefix aggregation
  prefix-port             Prefix-port aggregation
  prefix-tos              Prefix-TOS aggregation
  protocol-port           Protocol and port aggregation
  protocol-port-tos       Protocol, port and TOS aggregation
  source-prefix           Source Prefix aggregation
  source-prefix-tos       Source Prefix TOS aggregation



You can use two export protocols:
  • UDP (default)
    • unreliable
    • not congestion aware
  • SCTP
    • uses reliable, partly-reliable or no reliable transmission
    • implements congestion control mechanism

IOS
ip flow-export destination 2.2.2.2 2222
ip flow-export destination 3.3.3.3 3333 sctp
  backup destination 4.4.4.4 4444



SCTP is supported in IOS > 12.4(4)T.


MPLS egress netflow

It allows you to capture IP flow information for packets that arrive on a router as MPLS packets and that are transmitted as IP packets (i.e. PE=>CE direction).

IOS
interface FastEthernet0/0.17
 ip vrf forwarding ONE
 mpls netflow egress


IOS
R7#sh mpls forwarding-table vrf ONE 10.1.7.0 24 detail
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop
tag    tag or VC   or Tunnel Id      switched   interface
18     Aggregate   10.1.7.0/24[V]    0
        MAC/Encaps=0/0, MRU=0, Tag Stack{}
        VPN route: ONE
        Feature Quick flag set
    Per-packet load-sharing


R7#sh ip cache flow
IP packet size distribution (5 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  1 active, 4095 inactive, 1 added
  4 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
  1 active, 1023 inactive, 1 added, 1 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/0.37      10.0.0.3        Fa0/0.17*     10.0.0.1        01 0000 0800     5



Netflow for Layer 2

You can also capture some extra fields that include L2 information, like below:

IOS
R3(config)#ip flow-capture ?
  fragment-offset  Capture the fragment offset
  icmp             Capture the ICMP type and code
  ip-id            Capture the IP id
  mac-addresses    Capture src and dst MAC addresses
  packet-length    Capture the max and min packet length
  ttl              Capture the TTL
  vlan-id          Capture the VLAN id


IOS
R3#sh ip cache verbose flow
IP packet size distribution (229 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .427 .528 .000 .043 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  2 active, 65534 inactive, 158 added
  3870 ager polls, 0 flow alloc failures
  Active flows timeout in 10 minutes
  Inactive flows timeout in 30 seconds
IP Sub Flow Cache, 533256 bytes
  6 active, 16378 inactive, 47 added, 43 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-BGP             57      0.0         2    49      0.0      13.4      25.2
UDP-other           98      0.0         1    28      0.0       0.0      15.7
ICMP                 1      0.0         5   100      0.0       8.0      15.8
Total:             156      0.0         1    41      0.0       4.9      19.1

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
BGP: BGP NextHop

SrcIf          SrcIPaddress    DstIf          DstIPaddress    Pr TOS Flgs  Pkts
Port Msk AS                    Port Msk AS    NextHop              B/Pk  Active
BGP: BGP NextHop
Fa0/0.37       34.3.7.7        Fa0/0.34*      46.0.0.4        01 00  10       5
0000 /24 0                     0800 /32 248   169.254.34.4          100     7.9
BGP: 169.254.34.4
FFlags: 01
MAC: (VLAN id) c208.0618.0000  (037)          ca06.13bc.0000  (034)
ICMP type:       8                            ICMP code:        0

Fa0/0.34       169.254.34.4    Local          169.254.34.3    06 C0  18       2
5415 /32 0                     00B3 /32 0     0.0.0.0                49    17.9
BGP: 0.0.0.0
MAC: (VLAN id) ca06.13bc.0000  (034)          0000.0000.0000  (000)



Netflow for IPv6

You can also export IPv6 flows, like the IPv4 ones.

IOS
interface X
 ipv6 flow ingress
 ipv6 flow egress
!

ipv6 flow-export destination 5.5.5.5 5555


The same flow parameters apply to IPv6 as well.

An extra option is the ability to specify a minimum mask for prefixes, in order to define the detail of addresses.

Netflow for IPv6 is supported in IOS > 12.3.(7)T.


Netflow for multicast

  • ingress 
    • information about the source and how many times the traffic was replicated
    • packets that fail RPF check
  • egress
    • information about the destination of the traffic flow

IOS
ip multicast netflow output-counters
ip multicast netflow rpf-failure


You also need to enable normal netflow under the relevant interfaces.


Links



PBB (802.1ah) or MAC-in-MAC


Ingress UNI & Tunnel configuration


IOS
interface X
 service instance 10 ethernet
  encapsulation dot1q 10
  bridge-domain 100 c-mac
 service instance 20 ethernet
  encapsulation dot1q 20
  bridge-domain 200 c-mac 
!
interface Y
 service instance 10 ethernet
  encapsulation dot1q 10
  bridge-domain 100 c-mac
 service instance 20 ethernet
  encapsulation dot1q 20
  bridge-domain 200 c-mac 
!
ethernet mac-tunnel virtual 1
 bridge-domain 1111
 mac tunnel address destination default 9999.9999.9999
 service instance 1 ethernet
  encapsulation dot1ah isid 1000
  bridge-domain 100 c-mac
 service instance 2 ethernet
  encapsulation dot1ah isid 2000
  bridge-domain 200 c-mac



Egress forwarding can be accomplished using one of the following methods:

L2 bridging with switchport
interface Z
 switchport
 switchport mode trunk
 switchport trunk allowed vlan 1111



L2 bridging with EVC
interface Z  
 service instance 1 ethernet
  encapsulation dot1q 1111
  bridge-domain 1111



EoMPLS
interface vlan 1111
 xconnect 10.10.10.10 11 encapsulation mpls



VPLS
l2 vfi PBB-VFI manual
 vpn id 1111
 neighbor 20.20.20.20 22 encapsulation mpls
 neighbor 30.30.30.30 33 encapsulation mpls
!
interface vlan 1111
 xconnect vfi PBB-VFI



PBB is supported on 7600.



No comments:

Post a Comment