Goodbye fast switching & cell-mode MPLS

After leaving us in the dark for almost a year, Cisco finally released new functionality in IOS release 12.4(20)T. Support for a number of hardware platforms has been removed (dynamips fans are left with the 7200’s, everything else is gone). They also removed two switching features: fast switching and label-controlled ATM (cell-mode MPLS-over-ATM) together with Label Switch Controller (LSC).

I have no problem living without LC-ATM or LSC; this technology was primarily a retrofit for the old boxes by the time MPLS really took off with MPLS VPN. Fast switching is a different beast. Whenever you’d encounter bugs in more creative designs involving NAT, IPSec and GRE on low-end routers, you could turn off CEF (assuming you did not run NBAR) and things would (sometimes) miraculously start to work. Without fast switching, turning off CEF would bring you straight into process switching, resulting in an order-of-magnitude (or more) performance loss. On the other hand, it's obvious it makes no sense to maintain an obsolete switching method … and more bugs will probably get reported and fixed now that the easy escape route is gone.

Next-hop fixup in partially-meshed NBMA networks

Shahid has sent me an interesting observation: he was running RIP in partially-meshed Frame Relay network and wanted to use static host routes to fix next-hop problems, but somehow they didn't work as expected. I ran a series of scenarios testing RIP, OSPF, EIGRP and BGP and found that some of the old tricks don't work any more. Furthermore, it's almost impossible to run RIP over partially-meshed NBMA network, as the default RIP next-hop processing messes up your routing table. The details are explained in the Next-hop fixup in partially-meshed NBMA networks article in the CT³ wiki.

This article is part of You've asked for it series.

Summer schedule

I don't know about the rest of the world, but Europe is evidently in the middle of the summer holiday season (at least judged by weekend-long traffic jams on the highways). To help you handle the information overload when getting back from your vacation, I'll limit myself to three or four posts per week. OK, I might also turn off the routers for a few days and do a few more interesting things :)

Shorter display of OSPF database

Recently I had to explore the behavior of Cisco IOS OSPF implementation and had to inspect OSPF database on routers in various areas. If you're only interested in the contents of the database (not in low-level troubleshooting), variety of LSA fields (including LS Age, Options, Checksum, Length ...) are just cluttering the printout, so I fine-tuned the show filter to exclude all the non-relevant fields, ending with show ip ospf database parameters | exclude LS|Options|Check|Len|(MTID:[ 0-9]+$) (the MTID field appears in IOS release 12.2SRC).To make the command more useful, I've changed it into a short Tcl script (using steps from the post explaining how to execute complex CLI commands from Tcl) stored in flash:ospfdb.tcl …

set cmd {show ip ospf database }
append cmd $argv
append cmd { | excl LS|Options|Check|Len|(MTID:[ 0-9]+$)}
puts [exec $cmd]

… and defined alias exec ospfdb flash:ospfdb.tcl. I could then easily inspect the contents of various parts of OSPF database I was interested in, for example:

a3#ospfdb external 0.0.0.0
 
            OSPF Router with ID (10.0.1.3) (Process ID 1)
 
                Type-5 AS External Link States
 
  Link State ID: 0.0.0.0 (External Network Number )
  Advertising Router: 10.0.1.5
  Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        Metric: 1 
        Forward Address: 0.0.0.0
        External Route Tag: 1

Interesting links | 2008-07-13

• Petr Lapukhov described the differences between shaping and policing, the Unidirectional Link Detection (UDLD) technology and the PPP IPCP subnet mask negotiation. Obviously he had a highly productive week :) ... or maybe the shakeups in the CCIE training market result in more high-quality content? Hat tip to Ethan; you've made me look up a word in the English dictionary; a rare, but interesting and pleasurable event.
• Jeremy Stretch documents how you can turn a Catalyst into a totally transparent switch. Fantastic solution for lab environments. He also found a way to generate IOS type 5 passwords (enable/username secrets) on a Linux workstation.

Fragments | 2008-07-12

This week in Fragments, NIL's corporate blog:

• Klemen Štular, our CEO, analyzes what IT vendors can do when they want to grow 30% year-over-year and hit the physical limits of the market.
• Marjan Bradeško is fed up with the new binary arithmetic that works with digits 2 and 0 (plus the mandatory dot between them).
• I've continued my analysis of IOS stability and focused on the programs Cisco is putting in place to replace the venerable GD designation. I've also reviewed the Global IPv6 Strategies book published by Cisco Press.
• And lastly, Cisco announced a number of CCNA certifications.

Use the RSS feed to subscribe to Fragments

How obscure can it get?: BGP IPv6 printouts

If you want to display any IPV6-related BGP objects (neighbors, routes …) you can use the familiar BGP commands, but have to prefix them with show ip bgp ipv6 unicast. For example, to display the BGP neighbors active in the IPv6 address family, you would use show ip bgp ipv6 unicast summary command. I doubt you like so much typing (I don't, just entering the IPv6 addresses is enough for me); luckily Cisco IOS has aliases - just configure alias exec bgpv6 show ip bgp ipv6 unicast and (for consistency) alias exec bgpv4 show ip bgp ipv4 unicast.With these aliases, the BGP IPv6 maintenance and troubleshooting becomes almost enjoyable:

PE-C#bgpv6 summary ¦ begin Neighbor
Neighbor    V    AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down  State/PfxRcd
10.0.1.1    4 65000      18      21     11   0    0 00:12:49        2
10.0.1.2    4 65000      20      20     11   0    0 00:12:50        2
FEC0:C0FF:EE00::11:2
            4 65100     984    1086     11   0    0 16:16:33        2
PE-C#bgpv6 regexp 65100
BGP table version is 11, local router ID is 10.0.1.5
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
             r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> FEC0::1:3/128    FEC0:C0FF:EE00::11:2
                                            0             0 65100 i
*> FEC0:1:0:3::/64  FEC0:C0FF:EE00::11:2
                                            0             0 65100 i

Global IPv6 strategies

If you want to understand the buzz raised recently about IP version 6, and your daily job includes more budget meetings, payroll discussions or strategy/operational planning than router configuration, Global IPv6 Strategies: From Business Analysis to Operational Planning (Cisco Press, 2008) is a mandatory book for you.

Read more ...

QoS Policing in Cisco IOS

Policing implementations in Cisco IOS are a bit confusing: IOS supports three different algorithms that are configured with very similar parameters of the police command in modular QoS CLI. There's also the older rate-limit command that uses a limited implementation of one of the three algorithms. You'll find all policing details, including the graphic representations of all three algorithms in the QoS Policing in Cisco IOS article in CT³ wiki.

The value of being a CCIE

I was very pleasantly surprised by the supportive comments to my CCIE-related post; I didn’t realize there are so many CCIEs out there that feel the same way I do. Will we change anything? We can only hope; the CCIE program is orders of magnitude smaller than the Cisco’s equipment sales.

A few of the comments also asked for my opinion on the value of CCIE certification and whether it’s worth pursuing. Obviously, the short answer is yes.

CCIE certification has “commercial” as well as “academic” value. Undoubtedly, being a CCIE will (on average) increase your chances of getting a better-paid job. If you’re looking for jobs where the CCIE certification could help, you absolutely have to maintain the active status. For example, if you want to work for a Cisco’s partner, your CCIE status brings value only if you’re an active CCIE (suspended or inactive CCIEs don’t count toward the CCIE quota Cisco partners have to maintain). This requirement makes sense: partner CCIEs are usually faced with critical production problems in customer networks and thus have to hone their skills continuously.

Conclusion: if you’ve just got your CCIE certification, make sure you re-certify a few times; losing the active status would destroy the value you’ve been working so hard to create.

The “academic” value of the CCIE certification is also worth mentioning: it’s one of the few certifications that you simply cannot fake with the help of brain dumps. If you want to prove to yourself (and others) that you can reach the expert level in networking, go for CCIE or JNCIE (anyone aware of any other certifications that involve a day in an actual lab?). Of course, once you’ve become CCIE, it is worthless discussing whether you’re still a CCIE if you haven’t recertified (only certification zealots have problems with this concept). If you’ve got a PhD in physics, nobody will question whether you should still have the degree if you don’t work with particle accelerators; it’s the same with the CCIE certification (although Cisco is mysteriously vague on this topic).

Last but not least, the traffic logs have undoubtedly proved that I should stop writing about technology: the daily visits have jumped on July 1st and stayed higher-than-average for the next two days.

Wonderful Cisco IOS documentation

I wanted to figure out the exact release when Cisco IOS got EBGP load-sharing. Fighting through Feature Navigator is a pain for me, so I usually check older IOS documentation, starting from the old UniverCD URL (I was able to remember that one, the new URLs don't make any sense to me). When I've selected IOS release 11.0 configuration guides, the system redirected me to the "new style" 11.0 Router Products Configuration Guide ... and it looks like IOS did not support IP in release 11.0 :) ... or at least there are no instructions on how to configure it.

It's really sad how Cisco handles documentation these days. First they'd moved everything to new addresses and implemented redirects that didn't work (this is mostly fixed now), now they've managed to lose important parts of documentation.

Simple CLI extensions: handling special characters

Last week I've described how you can extend the exec-mode CLI commands with almost no knowledge of Tcl. A bit more work is required if your commands include Tcl special characters (quotes, braces or backslashes).

For example, to display all routes advertised by customers of AS X, you'd use the following show command: show ip bgp regexp _X_([0-9]+)(_\1)*$ (the regular expression is explained in the AS-path based filter of customer BGP routes post). This command cannot be entered as a Tcl string with variable substitution; Tcl would interpret the [ and \ characters. You could enter the whole command in curly braces, but then there would be no variable substitution that we need to insert command line parameters. To make Tcl happy, use the following Tcl commands:

1. set cmd {first-part-of-command} stores the command prefix into the cmd variable;
2. append cmd $argv appends the command line arguments to the command;
3. append cmd {rest-of-command} appends the rest of the IOS exec command;
4. puts [exec $cmd] executes the command and prints the results.

For example, the following code will display the customers of a BGP AS specified in the command line (after being stored in a flash file and defined in an alias, of course):

set cmd {show ip bgp regexp _}
append cmd $argv
append cmd {_([0-9]+)(_\1)*$}
puts [exec $cmd]

Interesting links | 2008-07-06

• Protecting your IP network infrastructure: a very comprehensive presentation listing most IOS/CatOS security features (look at the full version).
• Hot Air Balloon managers: the Thinking Problem Management blog where I found the link to the security presentation has a nice description of some IT managers.
• Web Farming with the Network Load Balancing Service in Windows Server 2003: load balancing built into the Windows operating system.
• How to enable IP forwarding in Linux: if you ever have to turn a Linux server into a router (ok, a layer-3 packet forwarding device :) but know as little about Linux as I do.
• Extracting BGP info with regular expressions: if you don't want to know anything about BGP regular expressions and did not attend the BGP course (where we cover all the commonly used ones in a special section), this blog post will give you the basics you probably need.
• ACLs and network protocols: how to block (or allow) BGP, EIGRP, OSPF and more in an IOS access list.
  

Wikis and blogs

A week ago I've announced that we've managed to merge my personal wiki efforts with NIL's corporate wiki, resulting in a solution that will cover more networking topics than just the Cisco IOS issues I've been describing so far. The only response I've got was a concerned anonymous reader who was afraid he would have to sort through a few more entries before getting to the Cisco IOS content he's interested in.

Anyhow, the comment clearly shows that I haven't done a good enough job detailing what my plans are (in case anyone wants to know :). Blogs (particulalry Blogger-based ones) are not the best media to write long in-depth texts. I've therefore decided a few months ago that I will have to start a Wiki along with the IOS hints blog to split the content based on its length and technical depth: the longer articles would be stored in the Wiki (also giving you the ability to expand on them or fix my errors), whereas the shorter hints would stay in the blog. Also (as you've probably noticed), whenever I publish a Wiki article, I'm also publishing a link and a short introductory text in the blog, so you'll be aware of all my content just by following the blog (or its RSS feed). The only change (as far as you are concerned) is that the Wiki will have a broader, but still networking-focused, coverage than if it would remain my personal effort.

Just for the reference, this is what I wrote when I was documenting the wiki-to-blog positioning for people I've invited as potential contributors:

The next obvious question should be: why not the blog. The reason is very simple: ease of use and the underlying assumptions. I've started blogging because it was the easiest platform to push quick ideas into the Internet ... and that's what blogs are good for. But unless you invest a lot of energy into customization (and I can't do much of that, as I'm using Blogger), blogs still have a sequential mentality (and Blogger's first page gets quite slow if you're writing long articles). Furthermore, formatting my stuff on Blogger the way I want it to appear is close to a nightmare; I'm much faster using Wiki markup. Last but definitely not least, the wiki software allows me to edit a single section, so I can really focus on the text that needs to be fixed; in Blogger, I have to spend a lot of time trying to find the exact text in the small editing window (but of course, that's my fault, I'm misusing Blogger for something it was never designed to do).

There is also another huge difference between a blog and a wiki: a blog post is almost static (only the author can fix errors in it), while a wiki is a dynamic environment. Hopefully we can attract writers as well as readers and have other people fix the typos, bugs or even add explanations where ours are sketchy.

In case you'd like to get more overview information on differences between blogs and wikis, check my Web 2.0 presentation.

The OSPF default mysteries

A while ago I wanted to combine the blog posts I've written about the default routes in OSPF into a single wiki article. As I started to investigate the various options you have to generate default routing in OSPF (including stub areas and not-so-stubby areas), the text quickly became too long and resulted in July IP Corner article "The OSPF default mysteries".