Friday , December 27 2024

protecting STP on Huawei switches

16 May, 2013 0

As a continuation of the STP Root Protection feature I want to describe additional STP protection functions and show you, where these functions should be implemented, in a typical campus LAN environment.

BPDU Protection feature can be used to protect switches against STP BPDU attacks. It should be implemented on every switch, which has ports directly connected to end-user workstations. This is because we do not expect receiving STP BPDU from user workstations. When STP BPDUs are received on the edge port, STP topology recalculation occurs, causing network flapping. If the port is configured with BPDU Protection and the switching device receives STP BPDUs, then the port is placed into shutdown state, protecting STP topology from recalculation. By default BPDU Protection feature is disabled on Huawei switches. To enable it:

<labnario_sw>system-view 
[labnario_sw]interface Ethernet 0/0/1
[labnario_sw-Ethernet0/0/1]stp edged-port enable 
[labnario_sw-Ethernet0/0/1]quit
[labnario_sw]stp bpdu-protection

When a switch port is configured as a STP Edged and STP BPDU is received, the port is placed into shutdown state:

May 13 2013 20:17:00-08:00 labnario_sw%%01MSTP/4/BPDU_PROTECTION(l)[4]:This edged-port Ethernet0/0/1 that enabled BPDU-Protection will be shutdown, because it received BPDU packet!
[labnario_sw-Ethernet0/0/1]dis cur int e0/0/1
#
interface Ethernet0/0/1
 shutdown
 stp edged-port enable

[labnario_sw-Ethernet0/0/1]dis int eth0/0/1
Ethernet0/0/1 current state : Administratively DOWN
Line protocol current state : DOWN

To bring the port back to UP state, manual port reconfiguration is required or auto recovery feature should be enabled on the switch.

TC Protection (TC – Topology Change) feature is used to suppress TC BPDUs (BPDU frames advertising STP topology change). When a switch receives a large number of TC BPDUs in a short time period, it has to frequently process MAC and ARP table entries, which can lead to CPU resources exhausting. To prevent this from happening, TC Protection can be configured, so that the switch will process TC BPDUs only with the given number of times within a specified time period. To enable TC Protection and change its default settings:

[labnario_sw]stp tc-protection
[labnario_sw]stp tc-protection threshold ?
  INTEGER  The threshold of TC-BPDU protection, default is 1

[labnario_sw]stp tc-protection threshold 3

The default threshold is 1, the time is specified by the STP Hello timer, which equals to 2 seconds, and can be easy changed using command:

[labnario_sw]stp timer hello ?
  INTEGER  Hello time in centiseconds, in steps of 100, the default value is 200

When the number of TC BPDUs, received by the switch, exceeds the specified threshold in a given time period, switch processes the excess TC BPDUs, after the specified time period expires. TC Protection feature should be enabled on every switch in a LAN environment.

Loop Protection feature provides additional protection against L2 forwarding loops. STP relies on a continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs and the non-designated port (ROOT, ALTERNATE) receives BPDUs. An STP loop is created, when one of the ports, of a physically redundant topology, no longer receives STP BPDUs. This usually happens, when ALTERNATE port in DISCARDING state stops receiving STP PBDUs, and as a result, moves to a Designated role and FORWARDING state. It means that there is no longer blocking port in redundant physical topology and loop is created. Loop protection feature, enabled on the interface, moves this port into Designated role and DISCARDING state, when no STP BPDUs are received in a prescriptive time. Loop Protection feature should be enabled on ROOT and ALTERNATE ports for every possible STP topology including failover scenarios.

Look at the following example to see Loop Protection feature in action:

[labnario_sw]dis cur | beg t0/0/1
#
interface GigabitEthernet0/0/1
 stp loop-protection
#
interface GigabitEthernet0/0/2
 stp loop-protection
#
[labnario_sw]dis stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ALTE  DISCARDING      LOOP
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      LOOP
May 14 2013 13:50:06-08:00 Huawei %%01MSTP/4/LOOP_GUARD(l)[2]:MSTP process 0 Instance0's LOOP-Protection port GigabitEthernet0/0/1 did not receive message in prescriptive time!
[labnario_sw]dis stp brie
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        DESI  DISCARDING      LOOP
   0    GigabitEthernet0/0/2        ROOT  FORWARDING      LOOP

Recovery is automatic when port starts receiving STP BPDUs, no additional administrative intervention is required. By default Loop Protection feature is disabled on Huawei switches.

 

Read More »

Huawei eNSP – news

13 May, 2013 0

Based on the release notes of eNSP:

New features:

  • supports TAB key switch when filling IP address of SimPC
  • provides one key register function of AR_Base.

Modified features:

  • improves the stability when starting AR
  • reduces memory usage of AR
  • fixes distribution service for AR
  • fixes the dysfunction of MPLS L3VPN.

A new Huawei Enterprise Network Simulation Platform has been released.

Download, test and enjoy!

Read More »

ISIS route aggregation

10 May, 2013 0

Let’s keep going and try to configure ISIS route aggregation based on the following topology:

 

If you want to recall how to configure ISIS adjacency on Huawei routers, just go to ‘ISIS on Huawei routers‘.

To avoid DIS election, configure all physical interfaces as ISIS point-to-point (p2p) links (Router 1 as an example):

[1-Ethernet0/0/8]isis circuit-type p2p

[1]dis isis interface 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Eth0/0/8        003         Up                 Down         1497 L1/L2 -- 
 Loop0           001         Up                 Down         1500 L1/L2 -- 
 Loop100         002         Up                 Down         1500 L1/L2 -- 

[1]dis isis interface Ethernet 0/0/8 verbose 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Eth0/0/8        003         Up                 Down         1497 L1/L2 -- 
  Circuit MT State            : Standard 
  Circuit Parameters          : p2p 
  Description                 : HUAWEI, AR Series, Ethernet0/0/8 Interface
  SNPA Address                : 00e0-fc03-993e
  IP Address                  : 10.0.1.1
  IPV6 Link Local Address     :
  IPV6 Global Address(es)     :
  Csnp Timer Value            :  L12   10
  Hello Timer Value           :        10
  DIS Hello Timer Value       :
  Hello Multiplier Value      :         3
  Cost                        :  L1    10  L2    10
  Ipv6 Cost                   :  L1    10  L2    10
  Retransmit Timer Value      :  L12    5
  LSP-Throttle Timer          :  L12   50
  Bandwidth-Value             :  Low  100000000  High          0
  Static Bfd                  :  NO
  Dynamic Bfd                 :  NO
  Fast-Sense Rpr              :  NO
  Extended-Circuit-Id Value   :  0000000003

What we want to do today are:

  • Configure Loopback100 interface on Router 1 and assign 10.0.100./32 IP address to it
  • Enable ISIS protocol on Loopback100
  • Configure three static routes: 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/24 on Router 1
  • Import the static routes to ISIS
  • Aggregate these networks on Level-1-2 router (router 2).

Let’s do it. Configure Loopback100 and enable ISIS on it:

[1]interface LoopBack 100
[1-LoopBack100]ip address 10.0.100.1 32
[1-LoopBack100]isis enable

Configure static routes on Router 1 to simulate networks that should be aggregated:

[1]ip route-static 10.0.2.0 255.255.255.0 NULL0
[1]ip route-static 10.0.3.0 255.255.255.0 NULL0
[1]ip route-static 10.0.4.0 255.255.255.0 NULL0

Import these three routes into ISIS:

[1]isis
[1-isis-1]import-route static level-1

Check the routing table of Router 1:

[1]dis ip rout
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 16       Routes : 16       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   ISIS-L1 15   10          D   10.0.1.2        Ethernet0/0/8
        1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
        2.2.2.2/32  ISIS-L1 15   10          D   10.0.1.2        Ethernet0/0/8
       10.0.1.0/30  Direct  0    0           D   10.0.1.1        Ethernet0/0/8
       10.0.1.1/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.1.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.2.0/24  Static  60   0           D   0.0.0.0         NULL0
       10.0.3.0/24  Static  60   0           D   0.0.0.0         NULL0
       10.0.4.0/24  Static  60   0           D   0.0.0.0         NULL0
     10.0.100.1/32  Direct  0    0           D   127.0.0.1       LoopBack100
       20.0.0.0/30  ISIS-L1 15   20          D   10.0.1.2        Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

Check the routing table of Router 5 to find how our networks have been advertised:

[5]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 17       Routes : 17       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
        2.2.2.2/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        4.4.4.4/32  ISIS-L2 15   10          D   40.0.0.1        Ethernet0/0/8
        5.5.5.5/32  Direct  0    0           D   127.0.0.1       LoopBack0
       10.0.1.0/30  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       10.0.2.0/24  ISIS-L2 15   94          D   40.0.0.1        Ethernet0/0/8
       10.0.3.0/24  ISIS-L2 15   94          D   40.0.0.1        Ethernet0/0/8
       10.0.4.0/24  ISIS-L2 15   94          D   40.0.0.1        Ethernet0/0/8
     10.0.100.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       20.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       40.0.0.0/30  Direct  0    0           D   40.0.0.2        Ethernet0/0/8
       40.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       40.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

These three static routes configured on Router 1 are imported into ISIS and we can find them in the routing table of Router 5. It should be noted that ISIS has no external routes, unlike OSPF. The origin of the routes is still ISIS, with preference 15. As you can see, the IP address of Loopback100 of Router 1 is also found in the routing table of Router 5.

Let’s finally configure route aggregation. Based on the topology and networks configured, we can aggregate the following networks on Router 2:

  • 10.0.1.0/30
  • 10.0.2.0/24
  • 10.0.3.0/24
  • 10.0.4.0/24
  • 10.0.100.1/32.
[2]isis
[2-isis-1]summary 10.0.0.0 255.255.0.0 (Level-2 by default)

Verify the IP routing table of Router 5 once again:

[5]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 13       Routes : 13       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
        2.2.2.2/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        4.4.4.4/32  ISIS-L2 15   10          D   40.0.0.1        Ethernet0/0/8
        5.5.5.5/32  Direct  0    0           D   127.0.0.1       LoopBack0
       10.0.0.0/16  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       20.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       40.0.0.0/30  Direct  0    0           D   40.0.0.2        Ethernet0/0/8
       40.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       40.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

Thus the routing table has been reduced.

Read More »

ISIS on Huawei routers

7 May, 2013 1

ISIS is a link-state IGP protocol. It gathers routing information from adjacent neighbors and uses the SPF algorithm to determine the best paths to destinations.

I wouldn’t like to focus on the theory because you can find it in many sources.

Let’s configure ISIS protocol based on the following topology:

 

Configure IP addresses of physical and loopback interfaces on all routers (it is omitted here):

<1> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet0/0/8                     10.0.0.1/30          up         up        
LoopBack0                         1.1.1.1/32           up         up(s)      

<2> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet2/0/0                     10.0.0.2/30          up         up           
GigabitEthernet0/0/0              20.0.0.1/30          up         up        
GigabitEthernet0/0/1              10.0.2.2/30          up         up        
LoopBack0                         2.2.2.2/32           up         up(s)     

<3> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              10.0.2.1/30          up         up        
GigabitEthernet0/0/1              30.0.0.1/30          up         up          
LoopBack0                         3.3.3.3/32           up         up(s)      

<4> dis ip interface br

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet4/0/0                     40.0.0.1/30          up         up            
GigabitEthernet0/0/0              20.0.0.2/30          up         up        
GigabitEthernet0/0/1              30.0.0.2/30          up         up           
LoopBack0                         4.4.4.4/32           up         up(s)        

<5> dis ip interface brief 

Interface                         IP Address/Mask      Physical   Protocol  
Ethernet0/0/8                     40.0.0.2/30          up         up        
LoopBack0                         5.5.5.5/32           up         up(s)

Configure ISIS globally, on loopback and physical interfaces (router 2 as an example):

[2]isis
[2-isis-1]network-entity 10.0020.0200.2002.00

[2]interface LoopBack 0
[2-LoopBack0]isis enable
[2]interface Ethernet2/0/0
[2-Ethernet2/0/0]isis enable
[2]interface GigabitEthernet0/0/0
[2-GigabitEthernet0/0/0]isis enable 
[2]interface GigabitEthernet0/0/1
[2-GigabitEthernet0/0/1]isis enable

It should be noted at this point that routers 1, 2 and 3 are in area 10 and routers 4 and 5 in area 20. Additionally you should remember about hierarchical structure of ISIS. In our case router 1 works as level-1, routers 2 and 3 work as level-1-2 (by default) and routers 4 and 5 as level-2. Level-1 is an equivalent of the stub area in OSPF. Level-1 routers have only a defult route to external destinations.

[1]isis
[1-isis-1]is-level level-1

[2]isis
[2-isis-1]is-level level-1-2

[3]isis
[3-isis-1]is-level level-1-2

[4]isis
[4-isis-1]is-level level-2

[5]isis
[5-isis-1]is-level level-2

Let’s verify this configuration:

[1]display isis lsdb 

                        Database information for ISIS(1)
                        --------------------------------

                          Level-1 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0010.0100.1001.00-00* 0x0000000d   0x936         667           84      0/0/0   
0020.0200.2002.00-00  0x00000013   0x5d55        705           127     1/0/0   
0020.0200.2002.02-00  0x00000009   0xb1e5        705           55      0/0/0   
0020.0200.2002.03-00  0x00000009   0xd901        705           55      0/0/0   
0030.0300.3003.00-00  0x00000010   0x699b        596           100     1/0/0
0020.0200.2002.02-00
0020.0200.2002 - source ID
02 - pseudonode ID
00 - LSP number

ISIS Level-1 router:

  • has the link state information of the local area
  • finds the nearest level 1-2 router based on ATT bit of the LSP
  • generates a default route through the nearest level-1-2 router to visit the destinations outside this area.
[2]display isis lsdb

                        Database information for ISIS(1)
                        --------------------------------

                          Level-1 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0010.0100.1001.00-00  0x0000000e   0x737         1030          84      0/0/0   
0020.0200.2002.00-00* 0x00000014   0x5b56        1087          127     1/0/0   
0020.0200.2002.02-00* 0x0000000a   0xafe6        1087          55      0/0/0   
0020.0200.2002.03-00* 0x0000000a   0xd702        1087          55      0/0/0   
0030.0300.3003.00-00  0x00000011   0x679c        931           100     1/0/0   

                          Level-2 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0020.0200.2002.00-00* 0x00000016   0xdb0         1087          163     0/0/0   
0020.0200.2002.01-00* 0x0000000a   0x1f56        1086          55      0/0/0   
0020.0200.2002.02-00* 0x0000000a   0xafe6        1086          55      0/0/0   
0030.0300.3003.00-00  0x00000014   0x6801        930           159     0/0/0   
0030.0300.3003.02-00  0x0000000a   0xa48b        930           55      0/0/0   
0040.0400.4004.00-00  0x00000010   0x5165        434           138     0/0/0   
0040.0400.4004.03-00  0x00000009   0x9435        434           55      0/0/0   
0050.0500.5005.00-00  0x0000000d   0xaa58        985           84      0/0/0

ISIS Level-1-2 router:

  • forms adjacency with both level-1-2 and level-2 routers
  • contains both level-1 and level-2 LSDBs
  • sets ATT bit in the level-1 LSP originated by itself
  • contains routing information of the whole network.
[4]display isis lsdb

                        Database information for ISIS(1)
                        --------------------------------

                          Level-2 Link State Database

LSPID                 Seq Num      Checksum      Holdtime      Length  ATT/P/OL
-------------------------------------------------------------------------------
0020.0200.2002.00-00  0x00000016   0xdb0         1034          163     0/0/0   
0020.0200.2002.01-00  0x0000000a   0x1f56        1034          55      0/0/0   
0020.0200.2002.02-00  0x0000000a   0xafe6        1034          55      0/0/0   
0030.0300.3003.00-00  0x00000014   0x6801        880           159     0/0/0   
0030.0300.3003.02-00  0x0000000a   0xa48b        880           55      0/0/0   
0040.0400.4004.00-00* 0x00000010   0x5165        385           138     0/0/0   
0040.0400.4004.03-00* 0x00000009   0x9435        385           55      0/0/0   
0050.0500.5005.00-00  0x0000000d   0xaa58        936           84      0/0/0

ISIS Level-2 router:

  • forms adjacency with both level-2 and level-1-2 routers
  • gathers LSPs of all routers in backbone area
  • contains all routing information of the whole routing domain.

Let’s look at ISIS routing tables:

[1]dis isis route 

                         Route information for ISIS(1)
                         -----------------------------

                        ISIS(1) Level-1 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
0.0.0.0/0            10         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
10.0.0.0/30          10         NULL    Eth0/0/8        Direct          D/-/L/-
20.0.0.0/30          20         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
30.0.0.0/30          30         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
3.3.3.3/32           20         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
2.2.2.2/32           10         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
10.0.2.0/30          20         NULL    Eth0/0/8        10.0.0.2        A/-/-/-
1.1.1.1/32           0          NULL    Loop0           Direct          D/-/L/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

A default route must exist in the Level-1 routing table and the next hop is a Level-1-2 router.

[2]dis isis route 

                         Route information for ISIS(1)
                         -----------------------------

                        ISIS(1) Level-1 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
0.0.0.0/0            10         NULL   
10.0.0.0/30          10         NULL    Eth2/0/0        Direct          D/-/L/-
20.0.0.0/30          10         NULL    GE0/0/0         Direct          D/-/L/-
30.0.0.0/30          20         NULL    GE0/0/1         10.0.2.1        A/-/L/-
3.3.3.3/32           10         NULL    GE0/0/1         10.0.2.1        A/-/L/-
2.2.2.2/32           0          NULL    Loop0           Direct          D/-/L/-
10.0.2.0/30          10         NULL    GE0/0/1         Direct          D/-/L/-
1.1.1.1/32           10         NULL    Eth2/0/0        10.0.0.1        A/-/L/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

                        ISIS(1) Level-2 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
10.0.0.0/30          10         NULL    Eth2/0/0        Direct          D/-/L/-
20.0.0.0/30          10         NULL    GE0/0/0         Direct          D/-/L/-
30.0.0.0/30          20         NULL   
40.0.0.0/30          20         NULL    GE0/0/0         20.0.0.2        A/-/-/-
3.3.3.3/32           10         NULL   
2.2.2.2/32           0          NULL    Loop0           Direct          D/-/L/-
10.0.2.0/30          10         NULL    GE0/0/1         Direct          D/-/L/-
5.5.5.5/32           20         NULL    GE0/0/0         20.0.0.2        A/-/-/-
1.1.1.1/32           30         NULL   
4.4.4.4/32           10         NULL    GE0/0/0         20.0.0.2        A/-/-/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

Level-1-2 routers contain both level-1 and level-2 routing tables.

[5]dis isis route

                         Route information for ISIS(1)
                         -----------------------------

                        ISIS(1) Level-2 Forwarding Table
                        --------------------------------

IPV4 Destination     IntCost    ExtCost ExitInterface   NextHop         Flags
-------------------------------------------------------------------------------
10.0.0.0/30          30         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
20.0.0.0/30          20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
30.0.0.0/30          20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
40.0.0.0/30          10         NULL    Eth0/0/8        Direct          D/-/L/-
3.3.3.3/32           20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
2.2.2.2/32           20         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
10.0.2.0/30          30         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
5.5.5.5/32           0          NULL    Loop0           Direct          D/-/L/-
1.1.1.1/32           30         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
4.4.4.4/32           10         NULL    Eth0/0/8        40.0.0.1        A/-/-/-
     Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
                               U-Up/Down Bit Set

A Level-2 router must have all Level-1 and Level-2 routes. We can see it better in IP routing tables:

[1]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 14       Routes : 14       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   ISIS-L1 15   10          D   10.0.0.2        Ethernet0/0/8
        1.1.1.1/32  Direct  0    0           D   127.0.0.1       LoopBack0
        2.2.2.2/32  ISIS-L1 15   10          D   10.0.0.2        Ethernet0/0/8
        3.3.3.3/32  ISIS-L1 15   20          D   10.0.0.2        Ethernet0/0/8
       10.0.0.0/30  Direct  0    0           D   10.0.0.1        Ethernet0/0/8
       10.0.0.1/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       10.0.2.0/30  ISIS-L1 15   20          D   10.0.0.2        Ethernet0/0/8
       20.0.0.0/30  ISIS-L1 15   20          D   10.0.0.2        Ethernet0/0/8
       30.0.0.0/30  ISIS-L1 15   30          D   10.0.0.2        Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

[2]dis ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 20       Routes : 20       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L1 15   10          D   10.0.0.1        Ethernet2/0/0
        2.2.2.2/32  Direct  0    0           D   127.0.0.1       LoopBack0
        3.3.3.3/32  ISIS-L1 15   10          D   10.0.2.1        GigabitEthernet0/0/1
        4.4.4.4/32  ISIS-L2 15   10          D   20.0.0.2        GigabitEthernet0/0/0
        5.5.5.5/32  ISIS-L2 15   20          D   20.0.0.2        GigabitEthernet0/0/0
       10.0.0.0/30  Direct  0    0           D   10.0.0.2        Ethernet2/0/0
       10.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet2/0/0
       10.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet2/0/0
       10.0.2.0/30  Direct  0    0           D   10.0.2.2        GigabitEthernet0/0/1
       10.0.2.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
       10.0.2.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/1
       20.0.0.0/30  Direct  0    0           D   20.0.0.1        GigabitEthernet0/0/0
       20.0.0.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
       20.0.0.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0
       30.0.0.0/30  ISIS-L1 15   20          D   10.0.2.1        GigabitEthernet0/0/1
       40.0.0.0/30  ISIS-L2 15   20          D   20.0.0.2        GigabitEthernet0/0/0
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

[5]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 16       Routes : 16       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
        2.2.2.2/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        3.3.3.3/32  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
        4.4.4.4/32  ISIS-L2 15   10          D   40.0.0.1        Ethernet0/0/8
        5.5.5.5/32  Direct  0    0           D   127.0.0.1       LoopBack0
       10.0.0.0/30  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       10.0.2.0/30  ISIS-L2 15   30          D   40.0.0.1        Ethernet0/0/8
       20.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       30.0.0.0/30  ISIS-L2 15   20          D   40.0.0.1        Ethernet0/0/8
       40.0.0.0/30  Direct  0    0           D   40.0.0.2        Ethernet0/0/8
       40.0.0.2/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
       40.0.0.3/32  Direct  0    0           D   127.0.0.1       Ethernet0/0/8
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

ISIS cost for all interfaces is 10 by default. It can be changed manually by isis cost command.

Some other usefull maintenance commands:

[1]dis isis peer verbose

                          Peer information for ISIS(1)

  System Id     Interface          Circuit Id       State HoldTime Type     PRI (priority for DIS election)
-------------------------------------------------------------------------------
0020.0200.2002  Eth0/0/8           0020.0200.2002.03 Up   9s       L1       64

  MT IDs supported     : 0(UP) 
  Local MT IDs         : 0 
  Area Address(es)     : 10 
  Peer IP Address(es)  : 10.0.0.2        
  Uptime               : 03:04:27
  Adj Protocol         : IPV4 
  Restart Capable      : YES
  Suppressed Adj       : NO
  Peer System Id       : 0020.0200.2002  

Total Peer(s): 1

[1]display isis interface verbose 

                       Interface information for ISIS(1)
                       ---------------------------------
 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS 
 Eth0/0/8        001         Up                 Down         1497 L1/L2 No/No 
  Circuit MT State            : Standard 
  Description                 : HUAWEI, AR Series, Ethernet0/0/8 Interface
  SNPA Address                : 00e0-fc03-2b68
  IP Address                  : 10.0.0.1
  IPV6 Link Local Address     :
  IPV6 Global Address(es)     :
  Csnp Timer Value            :  L1    10  L2    10
  Hello Timer Value           :  L1    10  L2    10
  DIS Hello Timer Value       :  L1     3  L2     3
  Hello Multiplier Value      :  L1     3  L2     3
  LSP-Throttle Timer          :  L12    50
  Cost                        :  L1    10  L2    10
  Ipv6 Cost                   :  L1    10  L2    10
  Priority                    :  L1    64  L2    64
  Retransmit Timer Value      :  L12    5
  Bandwidth-Value             :  Low  100000000  High          0
  Static Bfd                  :  NO
  Dynamic Bfd                 :  NO
  Fast-Sense Rpr              :  NO

 Interface       Id      IPV4.State          IPV6.State      MTU  Type  DIS   
 Loop0           001         Up                 Down         1500 L1/L2 -- 
  Circuit MT State            : Standard 
  Circuit Parameters          : passive 
  Description                 : HUAWEI, AR Series, LoopBack0 Interface
  SNPA Address                : 0000-0000-0000
  IP Address                  : 1.1.1.1
  IPV6 Link Local Address     :
  IPV6 Global Address(es)     :
  Csnp Timer Value            :  L12   10
  Hello Timer Value           :        10
  DIS Hello Timer Value       :
  Hello Multiplier Value      :         3
  Cost                        :  L1     0  L2     0
  Ipv6 Cost                   :  L1     0  L2     0
  Retransmit Timer Value      :  L12    5
  LSP-Throttle Timer          :  L12   50
  Bandwidth-Value             :  Low          0  High          0
  Static Bfd                  :  NO
  Dynamic Bfd                 :  NO
  Fast-Sense Rpr              :  NO

[1]dis isis error 

                    Statistics of error packets for ISIS(1)
                    ---------------------------------------
LSP packet errors:
Longer LSP              : 0           Smaller LSP             : 0           
Mismatched Level        : 0           Invalid Sysid           : 0           
Zero Sequence Number    : 0           Illegal IS Type         : 0           
Zero Checksum           : 0           Incorrect Checksum      : 0           
Bad Authentication      : 0           Bad Auth Count          : 0           
More Protocol TLV       : 0           Bad Nbr TLV             : 0           
Bad Extended IS TLV     : 0           Bad IF Addr TLV         : 0           
Bad Reach TLV           : 0           Bad Inter Domain TLV    : 0           
Mismatched Area Id(L1)  : 0           Bad TLV Length          : 0          
Bad Alias TLV           : 0           Bad Area TLV            : 0           
Bad SRLG TLV            : 0           Unknown Adjacency       : 0           
Bad Protocol ID         : 0           Bad Version             : 0           
Zero Lifetime           : 0           Bad Ext Reach TLV       : 0           
Bad TE Router ID TLV    : 0           Bad TE Sub TLV          : 0           

Hello packet errors:
Bad Packet Length       : 0           Reserved CircType       : 0           
Repeated System ID      : 0           Bad Circuit Type        : 0           
Longer packet           : 0           More Area Addr          : 0           
Longer Area Addr        : 0           Bad Area Addr TLV       : 0           
More IF Addr            : 0           Bad Formatted IF TLV    : 0           
More Nbr SNPA(LAN)      : 0           Invalid Sysid           : 0           
Bad TLV Length          : 0           Zero HoldingTime        : 0           
Unusable IP Addr        : 0           Repeated IPv4 Addr      : 0           
Mismatched Area Addr(L1): 0           Mismatched Proto        : 0           
SNPA Conflicted(LAN)    : 0           Mismatched Level        : 0           
Mismatched Max Area Addr: 0           Bad Authentication      : 0           
More Auth TLV           : 0           3-Way Option Error(P2P) : 0           
No Area Addr TLV        : 0           Bad Protocol ID         : 0           
Bad Version             : 0           Invalid IPv6 Addr       : 0           
More IPv6 IF Addr       : 0           Duplicate IPv6 Addr     : 0           
More Optional Checksum  : 0           Bad Optional Checksum   : 0           
--------------------------------------------------------------------

<1> debugging isis adjacency 

May  7 2013 16:17:06.629.1-05:13 1 ISIS/6/ISIS:
 ISIS-1-ADJ: Use level-1 IIH enconde cache to send IIH, Eth0/0/8.(IS15_2679)

May  7 2013 16:17:06.629.2-05:13 1 ISIS/6/ISIS:
 ISIS-1-ADJ: Sending Lan L1 Hello on Eth0/0/8, to SNPA 0180.c200.0014.(IS15_6941)

May  7 2013 16:17:07.319.1-05:13 1 ISIS/6/ISIS:
 ISIS-1-IIH: Set L1 holdtime on Eth0/0/8 for NBR 0020.0200.2002 as 9(IS21_968)

In this post I focused only on basic ISIS configuration. This protocol is widely used among ISPs. I will spend more time in the future to show you more functions and ISIS configuration examples.

Read More »

traffic mirroring – a riddle

26 Apr, 2013 0

I have busy time now and a frequency of updating my blog is not such as I would expect. Sorry for that. I hope it should be better soon.

But today I would like to ask you a simple riddle.

Let’s assume that we have S9300 switch and a fragment of its configuration:

#
observe-port 1 interface Ethernet0/0/1
#
acl number 3000
rule 5 deny ip source 89.168.24.0 0.0.0.255
rule 10 deny ip source 91.10.10.0 0.0.0.255
rule 15 permit ip
#
traffic classifier riddle operator and
if-match acl 3000
#
traffic behavior riddle
mirroring to observe-port 1
statistic enable
#
traffic policy riddle
classifier riddle behavior riddle
#
interface Ethernet0/0/10
traffic-policy riddle inbound

Based on this configuration, what will happen with traffic classified by ACL 3000, and why?

Do not hesitate to send your answer in comments. If you need, you can do a simple test on Huawei eNSP.

Answer:

acl number 3000
rule 5 deny ip source 89.168.24.0 0.0.0.255 (will be dropped)
rule 10 deny ip source 91.10.10.0 0.0.0.255 (will be dropped)
rule 15 permit ip (will be mirrored to observe port)

What is the default action for traffic behavior?

The default action is to permit all.

What does it mean?

It means that traffic behavior in our case will look like:

traffic behavior riddle
mirroring to observe-port 1
permit (the default configuration is not displayed)

Remember that only traffic, that is classified as permit in ACL, can be used in traffic mirroring!!!

Traffic with deny action will be dropped because the default action in traffic behavior is to permit all.

I got a few answers. Thanks for them. Unfortunately none of them was written in an exhaustive manner.

Read More »
Design By: ThemeTen