Recently, I have some questions about the ECMP load-balancing on CISCO switch. I have already known that the traffic will be distrubute according to each interfaces. However, I can not understand the method for this. This is good chance for me to learn.

 

I have read this instruction. I read some terms, "Per Destination" and "Per Packet". In this instruction. It will be more useful to understand.

By this instruction, I can see the configuration paramter on interface like below.

For this verification, I will set up the GNS simulator like below. There are 3 links connected each other.

I will see the wireshark packet over each interface.

 

 

1. Per-Destination Algorithm 

 

"Per-Desination" is default configuration. Therefore, it is now shown when I enter the CLI "ip load-sharing per-destination".

This algorithm is more similar with hashing method. The traffic will transfer over same interface. R1 has 3 loopback IP address, 1.1.1.1, 1.1.1.2 and 1.1.1.3. I will do ICMP with source. The traffic will use different links. However, It will be the same link when the source and destination are same.

 

[R1# ping 2.2.2.2 source 1.1.1.1 repeat 1]

R1 send ICMP request over Fa 2/1 and received over Fa 2/3.

 

[R1# ping 2.2.2.2 source 1.1.1.2 repeat 1]

R1 send ICMP request over Fa 2/2 and received over Fa 2/1.

 

[R1# ping 2.2.2.2 source 1.1.1.3 repeat 1]

R1 send ICMP request over Fa 2/2 and received over Fa 2/1.

 

Now I will do again in 10 minutes. It will be the same result. 

[R1# ping 2.2.2.2 source 1.1.1.2 repeat 1]

R1 send ICMP request over Fa 2/2 and received over Fa 2/1.

 

2. Select load-sharing algorithm for "Per-Destination"

 

This configuration give some option between R1 and R2. "Per-Destination" is the hashing algorithm. Thus R1 and R2 will show the same result. Because of this, some link can be intensive. For example, R1 --> Link 1 --> R2, R2 --> Link 1 --> R1 can be happend. Thus "Universal algorithm" make more dynmic distrubution on each switch with difference link.

 

3. Per Packet Algorithm.

 

I will configure like below on R1 and R2 switch.

After then, I will try to ping to R2. R2 has loopback IP address, 2.2.2.2/32. 

I will get the result like below. This result show that the traffic are distributed by packet, even if it is single connection (source-destination IP address pair)

[FastEthernet 2/1]

[FastEthernet 2/2]

[FastEthernet 2/3]

 

 

Reference

[ 1 ] https://networkengineering.stackexchange.com/questions/27914/example-of-ecmp-uses-hashing-technique

[ 2 ] https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_manage-routes.html#wp1114960

[ 3 ] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipswitch_cef/configuration/15-mt/isw-cef-15-mt-book/isw-cef-load-balancing.html#GUID-303F07B8-A52B-4BD3-A1F8-54DF24493D8E

I am the beginner in this Golang. If you are looking for expert, I am not that guy. Anyway, I will tri to write this post as the beginner.

 

1. var and type

 

I think these "var" and  "type" are most used elements.

package main

import "fmt"

func main(){

 var i = 10;

 fmt.Printf("%d\n",i);

}

This is the sample case. "var 1 = 10;" is the part to define the variable. It is different from others. There is no type such as int, float or string. In the Golang, the fomular is like below.

var <names> <type> = <expression>

Value names can be multiple. With this statements, the same case should be written like below.

package main

import "fmt"

func main(){

 var i int = 10;

 fmt.Printf("%d\n",i);

}

In the GoLang, there is implicit statments like below. The "type" is followed from expression type. 

<names> := <expression>

Because of this, the sample case will be re-written like below

package main

import "fmt"

func main(){

 i := 10;

 fmt.Printf("%d\n",i);

}

 

'Programming Basic > GoLang' 카테고리의 다른 글

How to install GoLang in Ubuntu  (0) 2020.03.22

Today, I will start to learn how to use the GoLang. I am not good at the programming languarge. With this chance, I I hope that I can read the GoLang with basic grammer.

 

1. Installation

I will follow this instruction, which is offered by "Golang". 

wget https://dl.google.com/go/go1.14.1.linux-amd64.tar.gz

I need to extract this file in any dictionary what you want. In my case, I will extract on my home directory.

# cd /home/ubuntu

# tar -xf go1.14.1.linux-amd64.tar.gz  

# rm -rf go1.14.1.linux-amd64.tar.gz  

# ls

go 

After extracting, I need to edit my environment file to insert the Go binary path.

# vi /etc/environment

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/ubuntu/go/bin"

# source /etc/environment

Now I am ready to study this GoLang.

# go version

go version go1.14.1 linux/amd64

 

2. Test my first Go langurage.

 

I am writing first go programing as the sample like below.

# cat hello.go 

package main

import "fmt"

func main() {

                fmt.Printf("hello, world\n")

}

There is the 2 ways to run this program. At first, It is "run" command. It can be ran without any compile.

# go run hello.go 
hello, world# go build hello.go

# ls
hello  hello.go  ubuntu
root@crenet_host:/home# ./hello 
hello, world# go build hello.go

# ls
hello  hello.go  ubuntu

# ./hello 
hello, world

In second, it is "build" command. It compile this file and create the binnary file. In this case, "hello" is the compiled file.

 

Reference 

[ 1 ] https://golang.org/doc/install

'Programming Basic > GoLang' 카테고리의 다른 글

How to define variables in Golang programming?  (0) 2020.03.22

How to upgrade DNSSEC for bind9?

 

In this post, I wrote how to configure DNS servers (Bind9). In this post, I will setup the DNSSEC to enforce DNS secrutiy from the attacker. In fact, I am not friendly with DNS element. So I will follow this instruction.

 

1. Pre-requisite 

 

I need DNS servers (master, slave and caching). I can build from this instruction simply.

 

2. Edit Master DNS server configuration

 

At first, I need to update master DNS server configuration to enable DNSSEC function. Open "/etc/bind/named.conf.option" and update like below (red text)

# cat /etc/bind/named.conf.options

options {

        directory "/var/cache/bind";

        recursion no;

        listen-on port 53 { 10.10.0.124; };

        allow-transfer { none; };

        dnssec-enable yes;

        dnssec-validation yes;

        dnssec-lookaside auto;

        auth-nxdomain no;    # conform to RFC1035

        listen-on-v6 { any; };

};

DNSSEC required the ZSK KEY (Zone Signing Key) and KSK KEY (Key Signing Key). Both key are called as DNSKEY. I have to generated these. To generate encryption key, I need entropy algorithm. "havedged" is good solution for this.

# apt-get install haveged

Now, I can generate. Please note that Key files should be located on the same directory of zone files.

# cd /var/cache/bind/zones

After run command to geneate, I can see the 2 files like below. These file are Zone Signing Key.

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE db.g.crenet.com            

Generating key pair......+++ ...............+++

K%2Fvar%2Fcache%2Fbind%2Fzones%2Fdb.g.crenet.com.+007+49394

 

root@master:/var/cache/bind/zones# ls

Kg.crenet.com.+007+01898.key

Kg.crenet.com.+007+01898.private

Now I will create Key Signing Key like below. After running, I can another 2 files.

dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE g.crenet.com

Generating key pair............................++ .........................................................................++

K%2Fvar%2Fcache%2Fbind%2Fzones%2Fdb.g.crenet.com.+007+56676

 

root@master:/var/cache/bind/zones# ls

Kg.crenet.com.+007+01898.key  Kg.crenet.com.+007+01898.private  Kg.crenet.com.+007+33324.key  Kg.crenet.com.+007+33324.private

All of these step are for creating signed zone file. Therefore, I will update zone file from now. Open zone file what I make secure and Include the key files above.

root@master:/var/cache/bind/keys# cat ../zones/db.g.crenet.com

$TTL    30

@       IN      SOA     g.crenet.com. admin.g.crenet.com. (

                              3         ; Serial

                         604800         ; Refresh

                          86400         ; Retry

                        2419200         ; Expire

                         604800 )       ; Negative Cache TTL

;

        IN      NS      ns1.g.crenet.com.

        IN      NS      ns2.g.crenet.com.

ns1.g.crenet.com. IN A 10.10.0.124

ns2.g.crenet.com. IN A 10.10.0.225

;

www.g.crenet.com. IN A 10.10.0.10

$INCLUDE /var/cache/bind/keys/Kg.crenet.com.+007+01898.key

$INCLUDE /var/cache/bind/keys/Kg.crenet.com.+007+33324.key

Now, I am ready to sign the zone file. I will run "dnssec-signzone -3 <salt> -A -N INCREMENT -o <zonename> -t <zonefilename>". "<Salt>" value is the random number. I can generate like below

# head -c 1000 /dev/random | sha1sum | cut -b 1-16

643f8a18458c3fbd

With this value, I can complete the command above

# cd ../zones

# dnssec-signzone -3  643f8a18458c3fbd -A -N INCREMENT -o g.crenet.com -t db.g.crenet.com
Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                         ZSKs: 1 active, 0 stand-by, 0 revoked
db.g.crenet.com.signed
Signatures generated:                       12
Signatures retained:                         0
Signatures dropped:                          0
Signatures successfully verified:            0
Signatures unsuccessfully verified:          0
Signing time in seconds:                 0.017
Signatures per second:                 685.910
Runtime in seconds:                      0.023

 

# ls
db.g.crenet.com         dsset-g.crenet.com.           Kg.crenet.com.+007+01898.private  Kg.crenet.com.+007+33324.private
db.g.crenet.com.signed  Kg.crenet.com.+007+01898.key  Kg.crenet.com.+007+33324.key

"db.g.crenet.com.signed" and "dsset-g.crenet.com." files are created. I will update to target this signed zone file in "named.conf.local"

# cat /etc/bind/named.conf.local

zone g.crenet.com {

   type master;

   file "/var/cache/bind/zones/db.g.crenet.com.signed";

   allow-transfer { 10.10.0.225; };

};

Service restart and dig the DNS query with this Master DNS server.

# service bind9 restart

# dig DNSKEY g.crenet.com @10.10.0.124 +multiline

; <<>> DiG 9.10.3-P4-Ubuntu <<>> DNSKEY g.crenet.com @10.10.0.124 +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31480
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;g.crenet.com.          IN DNSKEY

;; ANSWER SECTION:
g.crenet.com.           30 IN DNSKEY 257 3 7 (
                                AwEAAZxSkIvePjPUR+SDp7Dyf9NUVdVN2x250Ipqf/Oj
                                JFbq3Wl6b+97lZtSCkQIwa4llL6BHtXMfWWY70qx8hn6
                                q3lBVXR4XQcsloe16YHDucO8x5MW+o+l61yspKeEj4ZH
                                rb9msIW0AY4vGKj6xofTza/RFI2iiBiLzrCelgYWP2IG
                                hemeYMfUP3y0RNnsNB9ozh8O1uA2PocTwDaKWqkI0a41
                                Up/Ea41VKy97ZZgz2duafCkWrrFOAGMbR6M1+P3Glay5
                                Sj1vLHt1jUcCKk7RnjvlMTuZ74jGu/8IcotMZsna8nwe
                                jZB4Scm4Y/gr1xo+5CkJ9lzsdz8oMHAdwNE+CqDag24C
                                7gisB81zl1qtNOuSlVGO1TPdriH+Y3da+kCfNj6Q+vLi
                                rtoNlY6/WfmYtr9KzhnthDkoz3HVCJguv2ThUL62La2Z
                                GHyFtYeiyQ0Oa7y6z0VtrQZ/qn/BwmnWqDOCdQLqu7m4
                                k4zqoknGZ1BbUK77DQ1R08yfOYTbIOJlHHHgGuVWHAIo
                                XrhjbwQYvNXtFgCn+w60zB8uxQcctIX2PiOj0WRtOJkN
                                5mcrL5sYGNVETQ3k73MzE0WAOUTpQQoT+uD8OnTSaw3p
                                dHB12PL+swVQKn/LzBxhXCn9/A39vOUkJ7PyYkfn2Ej/
                                aLNb5+F5LIDB57UqPv5I2T4p0rYr
                                ) ; KSK; alg = NSEC3RSASHA1; key id = 33324
g.crenet.com.           30 IN DNSKEY 256 3 7 (
                                AwEAAcDZ5SCeLN0IhLoRKm/BKVPRJuc/ufMXOJivmXHH
                                O4oRLXFwTq1Xe+TLN+cRmOQiBCO3FTN1rMgNxgts7u6u
                                /RVTZnBNvKdcLVbayzE3fsMQrXxFho3fg5zEsF2xORve
                                K+f5fUWxfNl/cduzz6PplU82xznhMyYvrirGV2SN6v7w
                                IP+eZNqUyrcaUdBWCv3t+jZnTWdd4zOPkkv1EGSG0mMR
                                memYJIL66M2eFl4uQyShAqjzVWOpTyDWeKaaB4R2GB0g
                                LiKNZuiIUr+5V+Lmk/a3qsd26DGu3wU2z/MApwPucrLF
                                0vDdGocpS1Vk6Da7QgcI7ZNQnJWmMa/z7FeBbb8=
                                ) ; ZSK; alg = NSEC3RSASHA1; key id = 1898

Now, The DNSSEC in master DNS server is worked.

 

3. Edit Slave DNS server configuration

 

There is not complicated. Just enable "named.conf.option" in Slave DNS server.

# cat /etc/bind/named.conf.options

options {

        directory "/var/cache/bind";

        recursion no;

        listen-on port 53 { 10.10.0.225; };

        dnssec-enable yes;

        dnssec-validation yes;

        dnssec-lookaside auto;

        auth-nxdomain no;    # conform to RFC1035

        listen-on-v6 { any; };

};

Also, change file value in "named.conf.local" of Slave DNS server.

# cat /etc/bind/named.conf.local

zone g.crenet.com {

   type slave;

   file "db.g.crenet.com.signed";

   masters { 10.10.0.124; };

};

Now, I have restart bind9 and reload zone file. I can see downloaded file which is signed.

# service bind9 restart

# rndc reload

server reload successful

 

# ls

db.g.crenet.com  db.g.crenet.com.signed  managed-keys.bind  managed-keys.bind.jnl

4. Edit Caching DNS server configuration

 

I have alread update this file to work DNSSEC function. Please check "/etc/bind/named.conf.option" file.

# cat /etc/bind/named.conf.options

acl trusted {

   178.128.21.101;

   10.10.0.204;

   10.10.0.124;

   10.10.0.225;

};

options {

        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries

        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients

        listen-on port 53 { 10.10.0.204; };   # ns1 private IP address - listen on private network only

        allow-transfer { none; };      # disable zone transfers by default

        dnssec-enable yes;

        dnssec-validation yes;

        dnssec-lookaside auto;

        dump-file "/var/cache/bind/dumps/named_dump.db";

        auth-nxdomain no;    # conform to RFC1035

        listen-on-v6 { any; };

};

 

5. Configure DS records with the registrar.

 

When I create Signed zone file, "dsset-g.crenet.com" file is also generated which include "DS" record. 

# cat dsset-g.crenet.com.

g.crenet.com.           IN DS 33324 7 1 CFE9B08DB55C9EF23AAE19979FB2A48467C1061E

g.crenet.com.           IN DS 33324 7 2 1245F5EB80E7A2F6CE9A64A9C69A94EFBC800D60EA4065B96B7FF501 AB6816D2

To publish this DNS server with DNSSEC, I have to offer these DS record to my DNS registrar. (DNS registrar mean the represtative compay which has the role to register DNS, such as GoDaddy or Gabia.

 

Reference 

[ 1 ] https://createnetech.tistory.com/46

[ 2 ] https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2 

 

How to configure DNS bind9 configuration in Ubuntu

 

Recently, I need to learn about DNS system. In fact, I have not considered about this system so far. To understand about this as the begineer. I will memorize how to configure simply.

 

1. Pre-requisite.

I have four servers with Ubuntu 16.04 in AWS. Each server has the Public IP address.

 

2. Installation of bind9 packages

 

In fact, I do not know anything at this time. I need some instructions. I will follow this instruction basically. At first I need to update hosts name.

# hostname ns1

hostname ns2

hostname ns3

And I will update repository and install the bind packages like below. I will repeate this step in each servers, ns2 and ns3 also.

# apt-get update

sudo apt-get install bind9 bind9utils bind9-doc

Installation is completed. I can see the directory and files under /etc/bind directory.

# ls /etc/bind
bind.keys  db.127  db.empty  db.root     named.conf.default-zones  named.conf.options  zones.rfc1918
db.0       db.255  db.local  named.conf  named.conf.local          rndc.key

 

3. Configuration Primary DNS Server

 

At first, I will edit "named.conf.options". In this file, I will add some options to work well as the DNS server. This configuration is not applied to only primary. I will edit all of servers. 

# For Caching DNS server

acl "trusted" {
        10.10.0.72;
        10.10.0.99;
        10.10.0.39;
}

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-recursion { trusted; };
        listen-on port 53 { 10.10.0.72; };
        allow-transfer { 10.10.0.99; 10.10.0.39; }; 
        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
};

# For Authoritative DNS servers

options { 
        directory "/var/cache/bind"; 

        recursion no;  
        listen-on port 53 { 10.10.0.72; }; 
        allow-transfer { 10.10.0.99; 10.10.0.39; }; 
};

In above, there is "acl" field. It is the represatative name for allow-recursion. "recursion yes" means enable the recurive query from other DNS servers which is defined in "allow-recursion". In this instrucion, It shows what the recursive query is.

In this instruction, it is more simple contexts comparing with "iterative request".

If I do not want to use this recursion, I can change to "recursion no;" In my case, my authoritative DNS servers will be end of step for Domain. So I will disable the recursion. "allow-transfer { 10.10.0.99; 10.10.0.39; };" means transfering zone file to listed DNS servers which are refered as slave servers. 

# Master DNS (Authoritative DNS) server

options {
        directory "/var/cache/bind";

        recursion no;
        listen-on port 53 { 10.10.0.72; };
        allow-transfer { 10.10.0.99; 10.10.0.39; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

# Slave DNS (Authoritative DNS) servers

options {
        directory "/var/cache/bind";

        recursion no;
        listen-on port 53 { 10.10.0.72; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

After these configurations, I can check the configuration is correct or not.

# service bind9 restart

# # named-checkconf named.conf.options

If I do not get any answer or failed message, It works correct. In above, I defined "allow-transfer" like "allow-transfer { 10.10.0.99; 10.10.0.39; };". This parameter is the global value. Therefore, it is applied for all of zone files. It need to be limited sometimes. In the instructionallow-transfer { none; }; is recommended.

# Master DNS (Authoritative DNS) server

options { 
        directory "/var/cache/bind"; 

        recursion no; 
        listen-on port 53 { 10.10.0.72; }; 
        allow-transfer { none };

        dnssec-validation auto; 

        auth-nxdomain no;    # conform to RFC1035 
        listen-on-v6 { any; }; 
}; 

# Slave DNS (Authoritative DNS) servers

options { 
        directory "/var/cache/bind"; 

        recursion no; 
        listen-on port 53 { 10.10.0.72; }; 

        dnssec-validation auto; 

        auth-nxdomain no;    # conform to RFC1035 
        listen-on-v6 { any; }; 
}; 

I will define "allow-transfer" in "named.conf.local" individually in every zone difinition. I will edit the "named.conf.local". It looks like below.

# Master DNS (Authoritative DNS) server

zone "dizigo.shop" {
    type master;
    file "/etc/bind/zones/db.dizigo.shop";
    allow-transfer { 10.10.0.99; 10.10.0.39; };
};
zone "10.10.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.10.10";
    allow-transfer { 10.10.0.99; 10.10.0.39; };
};

# Slave DNS (Authoritative DNS) servers 

zone "dizigo.shop" {
    type slave;
    file "db.dizigo.shop";
    masters { 10.10.0.72; };
};
zone "10.10.in-addr.arpa" {
    type slave;
    file "db.10.10";
    masters { 10.10.0.72; };
};

In above, I defined "forward zone" and "reverse zone". (Please this does not mean zone file) I suppose the one of 10.10.0.0/16 ip addresses will be mapped with Domain. In this file, It show how many zone file are existed and the each properties. I wrote 2 types of configuration for master and slave. In this "master", I can define "allow-transfer { 10.10.0.99; 10.10.0.39; };" in each zone definition. (Even if I will explain later in this post) In "slave", I can define "masters" as the source.

I will locate the zone file under "/etc/bind/zones". If you do not have zone directory, I need to create before.

# mkdir -r /etc/bind/zones

After these configurations, I can check the configuration is correct or not.

# service bind9 restart

# named-checkconf named.conf.local

named-checkconf

 

3. Createing the Forward and reverse zone files.

 

Under the "/etc/bind" directory, there is the sample file for these.

# Forward zone file sample

root@ns1:/etc/bind# cat /etc/bind/db.local
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1

# Reverse zone file sample 

root@ns1:/etc/bind# cat /etc/bind/db.127
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
1.0.0   IN      PTR     localhost.

I will copy and edit this files for my zone file. This step is depends on your environments. It will be different from me

# cp db.local /etc/bind/zones/db.dizigo.shop

# cp db.127 /etc/bind/zones/db.10.10

Open the forward zone file and edit at first. It looks like below.

$TTL    60

@       IN      SOA     ns1.dizigo.shop admin.dizigo.shop. (

                              3         ; Serial

                         604800         ; Refresh

                          86400         ; Retry

                        2419200         ; Expire

                         604800 )       ; Negative Cache TTL

 

; name servers - NS records

       IN      NS      ns1.dizigo.shop.

       IN      NS      ns2.dizigo.shop.

       IN      NS      ns3.dizigo.shop.

 

; name servers - A records

ns1.dizigo.shop.       IN     A    10.10.0.72

ns2.dizigo.shop.       IN     A    10.10.0.99

ns3.dizigo.shop.       IN     A    10.10.0.39

 

; sample - A records

www.dizigo.shop.       IN     A    10.128.100.101

ftp.dizigo.shop.       IN     A    10.128.200.101 

I edit the TTL time for caching. If there is the caching DNS server in front of these authoritative DNS servers, the Caching server does not ask again during this time. I will adjust for 60 seconds. Serail number is increased. Every time, I edit zone file, I have to increase this number. This number is used for the slave servers to determince download zone file or not. I added all of name servers in end of SOA field.  For reverse zone file, it is similar with forward zone file. It looks like below.

$TTL    60
@       IN      SOA      ns1.dizigo.shop. admin.dizigo.shop. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; name servers - NS records
       IN      NS      ns1.dizigo.shop.
       IN      NS      ns2.dizigo.shop.
       IN      NS      ns3.dizigo.shop.

; PTR Records
72.0      IN   PTR  ns1.dizigo.shop.
99.0      IN   PTR  ns2.dizigo.shop.
39.0      IN   PTR  ns3.dizigo.shop.

Most of values are same. Add all of name servers end of SOA field, then add PTR records. After all of these, I can check my configuration.

# named-checkconf

# named-checkzone dizigo.shop ./zones/db.dizigo.shop

zone dizigo.shop/IN: loaded serial 3

OK

 

# named-checkzone 10.10.in-addr.arpa ./zones/db.10.10

zone 10.10.in-addr.arpa/IN: loaded serial 2

OK

If there are no errors, I will restart the daemon.

# service bind9 restart

 

4. Configuration Secondary(Slave) DNS Server

 

I will do these on ns2 and ns3 in my case. It is almost same as the master DNS server. I have already written above. For "named.conf.options",

# Slave DNS (Authoritative DNS) servers

options { 
        directory "/var/cache/bind"; 

        recursion no; 
        listen-on port 53 { 10.10.0.72; }; 

        dnssec-validation auto; 

        auth-nxdomain no;    # conform to RFC1035 
        listen-on-v6 { any; }; 
}; 

For "named.conf.local",

# Slave DNS (Authoritative DNS) servers 

zone "dizigo.shop" { 
    type slave; 
    file "db.dizigo.shop"; 
    masters { 10.10.0.72; }; 
}; 
zone "10.10.in-addr.arpa" { 
    type slave; 
    file "db.10.10"; 
    masters { 10.10.0.72; }; 
}; 

In this "named.conf.local", the file field is not a certain path. Now, I have slave DNS servers.

 

5. Verfication the Master and Slave DNS server.

 

Before I verify this. I need to download zone file from master to slave. On slaves, I run this command.

rndc reload
server reload successful


# ls -la /var/cache/bind/
total 24
drwxrwxr-x  2 root bind 4096 Sep 11 19:20 .
drwxr-xr-x 10 root root 4096 Sep 11 08:52 ..
-rw-r--r--  1 bind bind  411 Sep 11 19:12 db.10.10
-rw-r--r--  1 bind bind  420 Sep 11 19:12 db.dizigo.shop
-rw-r--r--  1 bind bind  821 Sep 11 19:20 managed-keys.bind
-rw-r--r--  1 bind bind  512 Sep 11 19:20 managed-keys.bind.jnl

In the /var/cache/bind/, I can see the zone file downloaded. Now I can Domain lookup from remote clients.

# dig +short ns2.dizigo.shop @54.180.126.68
10.10.0.99
# dig +short ns1.dizigo.shop @13.125.70.251
10.10.0.72

 

6. Create Caching DNS server without zone file (Only Forwarding caching DNS server)

 

Now, I create the Caching DNS server in front of Authoritative DNS servers. I will refere this instruction. Most of steps are similar with above. I have already written above. 

# For Caching DNS server

acl "trusted" { 
        10.10.0.72; 
        10.10.0.99; 
        10.10.0.39; 
} 

options { 
        directory "/var/cache/bind"; 

        recursion yes; 
        allow-recursion { trusted; }; 
        listen-on port 53 { 10.10.0.72; }; 
        allow-transfer { 10.10.0.99; 10.10.0.39; }; 
        forwarders { 
                8.8.8.8; 
                8.8.4.4; 
        }; 
};

In the instrucion, there is another term, "allow-query". This is same with "allow-recursion". So In my case I will use again in this post. I need to define "forwarders" which point to DNS server whiech handdle the recursive query. In my case, the authoritative DNS servers are listed in here

At this time, I want to make this Caching server to work as forwarder (This server does not response against the query reqeust itself). So I will add "forward only;" option. Final thing I need to edit is dnssec. In fact, I do not know what this is exactly. Anyway, this part make the server and client more secure. So, the my configuration of "named.conf.opiton" look like below.

acl trusted {

        10.10.0.37;

        178.128.21.101;

        49.174.202.137;

};

options {

        recursion yes;                 # enables resursive queries

        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients

        listen-on port 53 { 10.10.0.37; };   # ns1 private IP address - listen on private network only

        allow-transfer { none; };      # disable zone transfers by default

        forwarders {

               10.10.0.99;

               10.10.0.72;

        };

        forward only;

        dnssec-enable yes;

        dnssec-validation yes;

        auth-nxdomain no;    # conform to RFC1035

        listen-on-v6 { any; };

};

After this configuration, I need to check the configuration with "named-checkconf" and restart bind

# named-checkconf

# service bind9 restart

 

7. Verfication of Caching server (Clean cached DB)

 

In this blog, there is the way to view cahce status. 

# Run Command

# rndc dumpdb -cache

 

# Log messages (Error)

Sep 13 14:38:25 cache kernel: [195574.027929] audit: type=1400 audit(1568385505.800:83): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/named_dump.db" pid=25682 comm="named" requested_mask="c" denied_mask="c" fsuid=112 ouid=112
Sep 13 14:38:25 cache named[25678]: received control channel command 'dumpdb -cache'
Sep 13 14:38:25 cache named[25678]: could not open dump file 'named_dump.db': permission denied

This error happend due to permission of file location which is created by the command. Therefore, I need to re-define the path for the dump file in the configuration. Please read this instruction.

acl trusted {

        10.10.0.37;

        178.128.21.101;

        49.174.202.137;

};

options {

        recursion yes;                 # enables resursive queries

        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients

        listen-on port 53 { 10.10.0.37; };   # ns1 private IP address - listen on private network only

        allow-transfer { none; };      # disable zone transfers by default

        forwarders {

               10.10.0.99;

               10.10.0.72;

        };

        forward only;

        dnssec-enable yes;

        dnssec-validation yes;

        dump-file "/var/cache/bind/dumps/named_dump.db";

        auth-nxdomain no;    # conform to RFC1035

        listen-on-v6 { any; };

};

"dump-file "/var/cache/bind/dumps/named_dump.db";" is added int the configuration. After then, check configuration and restart. (Please note that the file should be located under /var/cache/bind directory)

# Run Command

# rndc dumpdb -cache

 

# /var/cache/bind/dumps# ls
named_dump.db

I can see the file created. I can also read this file. The result look like below

# cat named_dump.db

;

; Start view _default

;

;

; Cache dump of view '_default' (cache _default)

;

$DATE 20190913145755

; authanswer

www.dizigo.shop.        56      IN A    10.128.100.101

;

; Address database dump

;

; [edns success/4096 timeout/1432 timeout/1232 timeout/512 timeout]

; [plain success/timeout]

;

;

; Unassociated entries

;

;       10.10.0.99 [srtt 232] [flags 00004000] [edns 1/0/0/0/0] [plain 0/0] [udpsize 512] [ttl 1796]

;       10.10.0.72 [srtt 29] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 1796]

;

; Bad cache

;

;

; Start view _bind

;

;

; Cache dump of view '_bind' (cache _bind)

;

$DATE 20190913145755

;

; Address database dump

;

; [edns success/4096 timeout/1432 timeout/1232 timeout/512 timeout]

; [plain success/timeout]

;

;

; Unassociated entries

;

;

; Bad cache

;

; Dump complete

If I want to clean this db and caching. I can run like below. Flush and service restarted are necessary.

# rndc flush

# service bind9 restart

 

8. Create Caching DNS server with zone file (Delegating sub-domain)

 

Please note that I can not delegate other domain. I can only delegate sub-domain. For example, "some-name.origin-domain.com --> some-domain.com" is not possible.  "some-name.origin-domain.com --> some-name.sub-domain.origin-domain.com" is only possible

Because of above, I use another name "ozigo.shop". (So far, I used "dizigo.shop")

 

I will follow this instruction. Caching DNS server can have zone file and handle the query directly. For this, I will do some of changes. First I will remove "forward only;" and "forwarders". Therefore  "named.conf.option" is look like below

acl trusted {

        10.10.0.37;

        178.128.21.101;

        49.174.202.137;

};

options {

        recursion yes;                 # enables resursive queries

        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients

        listen-on port 53 { 10.10.0.37; };   # ns1 private IP address - listen on private network only

        allow-transfer { none; };      # disable zone transfers by default

        dnssec-enable yes;

        dnssec-validation yes;

        dump-file "/var/cache/bind/dumps/named_dump.db";

        auth-nxdomain no;    # conform to RFC1035

        listen-on-v6 { any; };

};

And then, I need other configuration file and zone file, "named.conf.local" and "zone file included sub-domain"

# cat named.conf.local

zone "ozigo.shop" {

    type master;

    file "/etc/bind/zones/db.ozigo.shop";

};

I used "$ORIGIN" term to seperate zone between ozigo.shop and ns.ozigo.shop. The red text show how to delegate sub-domain reqursion. The request query for "ns.ozigo.shop" will be sent to "ns1.ns.ozigo.shop" which has 10.10.0.72 IP address.  The authoritative DNS which has zone file will be like below.

root@cache:/var/cache/bind/zones# cat db.crenet.com
$ORIGIN crenet.com.
$TTL    10
@       IN      SOA     crenet.com. admin.crenet.com. (
                              3         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
        IN      NS      ns1.crenet.com.
ns1.crenet.com. IN A 10.10.0.204

;
www.crenet.com. IN CNAME www.g.crenet.com.

$ORIGIN g.crenet.com.
@       IN      NS      ns1.g.crenet.com.
        IN      NS      ns2.g.crenet.com.
ns1.g.crenet.com. IN A 10.10.0.124
ns2.g.crenet.com. IN A 10.10.0.225

# cat zones/db.ns.ozigo.shop

$TTL    60

@       IN      SOA     ns1.ns.ozigo.shop. admin.ns.ozigo.shop. (

                              3         ; Serial

                         604800         ; Refresh

                          86400         ; Retry

                        2419200         ; Expire

                         604800 )       ; Negative Cache TTL

; name servers - NS records

       IN      NS      ns1.ns.ozigo.shop.

; name servers - A records

ns1.ns.ozigo.shop.       IN     A    10.10.0.72

; sample - A records

recursion.ns.ozigo.shop.  IN     A    200.200.200.200

My final goal is looking up "recursion.ozigo.shop". When I try to dig from remote client, the result should be like below.

# dig recursion.ns.ozigo.shop @54.180.154.199

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> recursion.ns.ozigo.shop @54.180.154.199

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46798

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;recursion.ns.ozigo.shop.       IN      A

;; ANSWER SECTION:

recursion.ns.ozigo.shop. 60     IN      A       200.200.200.200

;; AUTHORITY SECTION:

ns.ozigo.shop.          60      IN      NS      ns1.ns.ozigo.shop.

;; ADDITIONAL SECTION:

ns1.ns.ozigo.shop.      60      IN      A       10.10.0.72

;; Query time: 104 msec

;; SERVER: 54.180.154.199#53(54.180.154.199)

;; WHEN: Fri Sep 13 20:31:49 UTC 2019

;; MSG SIZE  rcvd: 102

 

9. TroubleShooting.

 

When I can meet some errors like below during checking zone file configuration in cache server.

# named-checkzone crenet.com db.crenet.com

zone crenet.com/IN: getaddrinfo(ns1.g.crenet.com) failed: Temporary failure in name resolution

zone crenet.com/IN: getaddrinfo(ns2.g.crenet.com) failed: Temporary failure in name resolution

zone crenet.com/IN: loaded serial 3

OK

In my case, I update /etc/resolv.conf file like below. I update the nameserver with my local private IP address.

# cat /etc/resolv.conf  

nameserver 10.10.0.204

 

Reference

 

[ 1 ] https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-18-04

[ 2 ] https://kifarunix.com/configure-bind-as-slave-dns-server-on-ubuntu-18-04/

[ 3 ] https://help.fasthosts.co.uk/app/answers/detail/a_id/1276/~/what-is-recursive-dns-and-why-is-it-not-recommended%3F

[ 4 ] https://www.slashroot.in/difference-between-iterative-and-recursive-dns-query

[ 5 ] https://help.fasthosts.co.uk/app/answers/detail/a_id/1276/~/what-is-recursive-dns-and-why-is-it-not-recommended%3F

[ 6 ] https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04

[ 7 ] https://linuxconfig.org/how-to-view-and-clear-bind-dns-server-s-cache-on-linux 

[ 8 ] https://bugzilla.redhat.com/show_bug.cgi?id=112350

[ 9 ] http://www.zytrax.com/books/dns/ch9/delegate.html

 

How does the OSPF cost work? 

 

In this post, I will handle the OSPF cost (OSPF cost and auto-cost reference-bandwidth). Normally, I use the OSPF with default setting. 

 

1. Pre-requisite.

 

This is my environment to re-produce. I will write the simple configuration with default values.

s1 (1.1.1.1/32)

s2 (2.2.2.2/32)

s3 (3.3.3.3/32)

feature ospf

interface Ethernet1/1

  no switchport

  ip address 100.21.1.11/16

  ip router ospf 1 area 0.0.0.0

  no shutdown

 

interface Ethernet1/3

  no switchport

  ip address 100.31.1.13/16

  ip router ospf 1 area 0.0.0.0

  no shutdown

 

interface loopback0

  ip address 1.1.1.1/32

  ip router ospf 1 area 0.0.0.0

  

router ospf 1

  router-id 1.1.1.1

feature ospf

interface Ethernet1/1

  no switchport

  ip address 100.21.2.11/16

  ip router ospf 2 area 0.0.0.0

  no shutdown

 

interface Ethernet1/2

  no switchport

  ip address 100.32.2.12/16

  ip router ospf 2 area 0.0.0.0

  no shutdown

 

interface loopback0

  ip address 2.2.2.2/32

  ip router ospf 2 area 0.0.0.0

 

router ospf 2

  router-id 2.2.2.2

feature ospf

interface Ethernet1/2

  no switchport

  ip address 100.32.3.12/16

  ip router ospf 3 area 0.0.0.0

  no shutdown

 

interface Ethernet1/3

  no switchport

  ip address 100.31.3.13/16

  ip router ospf 3 area 0.0.0.0

  no shutdown

 

interface loopback0

  ip address 3.3.3.3/32

  ip router ospf 3 area 0.0.0.0

 

router ospf 3

  router-id 3.3.3.3

 

2. Verify default status.

 

With default values, I can see the routing table over s1.

s1# show ip route

1.1.1.1/32, ubest/mbest: 2/0, attached

    *via 1.1.1.1, Lo0, [0/0], 00:39:21, local

    *via 1.1.1.1, Lo0, [0/0], 00:39:21, direct

2.2.2.2/32, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/41], 00:35:38, ospf-1, intra

3.3.3.3/32, ubest/mbest: 1/0

    *via 100.31.3.13, Eth1/3, [110/41], 00:33:43, ospf-1, intra

100.21.0.0/16, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:36:44, direct

100.21.1.11/32, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:36:44, local

100.31.0.0/16, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:34:24, direct

100.31.1.13/32, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:34:24, local

100.32.0.0/16, ubest/mbest: 2/0

    *via 100.21.2.11, Eth1/1, [110/80], 00:33:43, ospf-1, intra

    *via 100.31.3.13, Eth1/3, [110/80], 00:33:43, ospf-1, intra

I can see the 2 kinds of values, [110/41] and [110/80]. The first value is the preference which is called as the administrative distance. In this instruction, there is the table list. In my case, I used the OSPF protocol which has 110 value as the default distance values.

The second value is the metric which means the cost. The smaller value for the cost has higher priority

From [110/41] and [110/80], "41" and "80" are the metric cost. Before calcuate these values, I need to understand the "auto-cost referece-bandwidth".

 

3. About auto-cost referece-bandwidth.

 

The cost is obtained by "auto-cost reference-bandwidth / interface bandwidth". In this instruction, it show how to configure this auto-cost reference-bandwidth. This is overview.

In my case, I used the Cisco Nexus image. Therefore, the default value is like below from this instruction.

I can verify this value with command, "show ip ospf". This is the sample from s1.

s1# show ip ospf

 Routing Process 1 with ID 1.1.1.1 VRF default

 Routing Process Instance Number 1

 Stateful High Availability enabled

 Graceful-restart is configured

   Grace period: 60 state: Inactive

   Last graceful restart exit status: None

 Supports only single TOS(TOS0) routes

 Supports opaque LSA

 Administrative distance 110

 Reference Bandwidth is 40000 Mbps

 SPF throttling delay time of 200.000 msecs,

   SPF throttling hold time of 1000.000 msecs,

   SPF throttling maximum wait time of 5000.000 msecs

 LSA throttling start time of 0.000 msecs,

   LSA throttling hold interval of 5000.000 msecs,

   LSA throttling maximum wait time of 5000.000 msecs

 Minimum LSA arrival 1000.000 msec

 LSA group pacing timer 10 secs

 Maximum paths to destination 8

 Number of external LSAs 0, checksum sum 0

 Number of opaque AS LSAs 0, checksum sum 0

 Number of areas is 1, 1 normal, 0 stub, 0 nssa

 Number of active areas is 1, 1 normal, 0 stub, 0 nssa

 Install discard route for summarized external routes.

 Install discard route for summarized internal routes.

   Area BACKBONE(0.0.0.0)

        Area has existed for 02:52:56

        Interfaces in this area: 3 Active interfaces: 3

        Passive interfaces: 0  Loopback interfaces: 1

        No authentication available

        SPF calculation has run 9 times

         Last SPF ran for 0.001811s

        Area ranges are

        Number of LSAs: 6, checksum sum 0x30590

Reference Bandwidth is 40000 Mbps. In s1, ethernet 1/1 and ethernet 1/3 have 1Gbps Bandwidth

s1# show inter et 1/1
Ethernet1/1 is up
admin state is up, Dedicated Interface
  Hardware: 100/1000/10000 Ethernet, address: 0cfc.6a48.f207 (bia 0cfc.6a48.f208 )
  Internet Address is 100.21.1.11/16
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
  full-duplex, 1000 Mb/s

 

s1# show inter et 1/3
Ethernet1/3 is up
admin state is up, Dedicated Interface
  Hardware: 100/1000/10000 Ethernet, address: 0cfc.6a48.f207 (bia 0cfc.6a48.f20a )
  Internet Address is 100.31.1.13/16
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
  full-duplex, 1000 Mb/s

Thus, 40000 Mbps / 1000 Mbps = 40. This is the cost. I can verify the value only with command "show ip ospf interface" also. The below is the sample from s1.

s1# show ip ospf interface

 Ethernet1/1 is up, line protocol is up

    IP address 100.21.1.11/16

    Process ID 1 VRF default, area 0.0.0.0

    Enabled by interface configuration

    State BDR, Network type BROADCAST, cost 40

    Index 2, Transmit delay 1 sec, Router Priority 1

    Designated Router ID: 2.2.2.2, address: 100.21.2.11

    Backup Designated Router ID: 1.1.1.1, address: 100.21.1.11

    1 Neighbors, flooding to 1, adjacent with 1

    Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5

      Hello timer due in 00:00:04

    No authentication

    Number of opaque link LSAs: 0, checksum sum 0

 Ethernet1/3 is up, line protocol is up

    IP address 100.31.1.13/16

    Process ID 1 VRF default, area 0.0.0.0

    Enabled by interface configuration

    State BDR, Network type BROADCAST, cost 40

    Index 3, Transmit delay 1 sec, Router Priority 1

    Designated Router ID: 3.3.3.3, address: 100.31.3.13

    Backup Designated Router ID: 1.1.1.1, address: 100.31.1.13

    1 Neighbors, flooding to 1, adjacent with 1

    Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5

      Hello timer due in 00:00:03

    No authentication

    Number of opaque link LSAs: 0, checksum sum 0

 loopback0 is up, line protocol is up

    IP address 1.1.1.1/32

    Process ID 1 VRF default, area 0.0.0.0

    Enabled by interface configuration

    State LOOPBACK, Network type LOOPBACK, cost 1

    Index 1

 

 

I need to calculate these values. In this instruction, it show how to calculate and select the path.

 

4. Analysis the OSPF routing cost.

 

In s1 switch, [110/41] and [110/80] are the values as the cost. 

I need to see more detail. "3.3.3.3" is the loopback interface. This IP address can be obtain with 2 path. "81" and "41" are the cost values. "41" is lower values. This is selected.

 

5. (Option 1) Adjust the Interface Bandwidth to change the path.  

 

There are many method to determine the path. Most simple way is the change the interface bandwidth and speed. I change the interface bandwidth like below. Please read this instruction.

s1 (1.1.1.1/32)

s3 (3.3.3.3/32)

s1(config)# inter et 1/3

s1(config-if)# bandwidth 100000

s3(config)# inter et 1/3

s3(config-if)# bandwidth 100000

After then, I can check the interface bandwidth status

s1# show ip ospf inter et 1/3
 Ethernet1/3 is up, line protocol is up
    IP address 100.31.1.13/16
    Process ID 1 VRF default, area 0.0.0.0
    Enabled by interface configuration
    State BDR, Network type BROADCAST, cost 400
    Index 3, Transmit delay 1 sec, Router Priority 1
    Designated Router ID: 3.3.3.3, address: 100.31.3.13
    Backup Designated Router ID: 1.1.1.1, address: 100.31.1.13
    1 Neighbors, flooding to 1, adjacent with 1
    Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
      Hello timer due in 00:00:03
    No authentication
    Number of opaque link LSAs: 0, checksum sum 0

 

s3# show ip ospf interface ethernet 1/3
 Ethernet1/3 is up, line protocol is up
    IP address 100.31.3.13/16
    Process ID 3 VRF default, area 0.0.0.0
    Enabled by interface configuration
    State DR, Network type BROADCAST, cost 400
    Index 3, Transmit delay 1 sec, Router Priority 1
    Designated Router ID: 3.3.3.3, address: 100.31.3.13
    Backup Designated Router ID: 1.1.1.1, address: 100.31.1.13
    1 Neighbors, flooding to 1, adjacent with 1
    Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
      Hello timer due in 00:00:06
    No authentication
    Number of opaque link LSAs: 0, checksum sum 0

Now, I can see the routing table changed like below.

s1# show ip route

1.1.1.1/32, ubest/mbest: 2/0, attached

    *via 1.1.1.1, Lo0, [0/0], 00:07:12, local

    *via 1.1.1.1, Lo0, [0/0], 00:07:12, direct

2.2.2.2/32, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/41], 00:06:11, ospf-1, intra

3.3.3.3/32, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/81], 00:05:29, ospf-1, intra

100.21.0.0/16, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:07:13, direct

100.21.1.11/32, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:07:13, local

100.31.0.0/16, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:07:12, direct

100.31.1.13/32, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:07:12, local

100.32.0.0/16, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/80], 00:05:29, ospf-1, intra

 

6. (Option 2) Adjust the auto-cost reference bandwidth to change the path.

 

Auto-cost reference-bandwidth is the global parameter. Therefore, I change this value on s1 switch. There is no effect. Also there is no effect even if I change the value on s2 switch.

In this post, I will show how this value is changed.

s1(config)# router ospf 1
s1(config-router)# auto-cost reference-bandwidth 10000
s1(config-router)# exit

I can verify the ospf information 

s1# show ip ospf

 Routing Process 1 with ID 1.1.1.1 VRF default

 Routing Process Instance Number 1

 Stateful High Availability enabled

 Graceful-restart is configured

   Grace period: 60 state: Inactive

   Last graceful restart exit status: None

 Supports only single TOS(TOS0) routes

 Supports opaque LSA

 Administrative distance 110

 Reference Bandwidth is 10000 Mbps

Therefore, the routing table will be changed like below.

s1# show ip route

1.1.1.1/32, ubest/mbest: 2/0, attached

    *via 1.1.1.1, Lo0, [0/0], 00:18:15, local

    *via 1.1.1.1, Lo0, [0/0], 00:18:15, direct

2.2.2.2/32, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/11], 00:02:25, ospf-1, intra

3.3.3.3/32, ubest/mbest: 1/0

    *via 100.31.3.13, Eth1/3, [110/11], 00:02:25, ospf-1, intra

100.21.0.0/16, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:18:16, direct

100.21.1.11/32, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:18:16, local

100.31.0.0/16, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:18:15, direct

100.31.1.13/32, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:18:15, local

100.32.0.0/16, ubest/mbest: 2/0

    *via 100.21.2.11, Eth1/1, [110/50], 00:02:25, ospf-1, intra

    *via 100.31.3.13, Eth1/3, [110/50], 00:02:25, ospf-1, intra

 

7. (Option 3) Adjust the ip ospf cost to change the path.

 

This is more effective way. However, I do not recommand this way. Because this can make complexity. In this instruction, it show how to configure. This configuration will be done on each interface.

s1(config)# inter ethernet 1/3
s1(config-if)# ip ospf cost 100
s1(config-if)# exit

 

This is the result on s1 switch

s1# show ip ospf interface ethernet 1/3

 Ethernet1/3 is up, line protocol is up

    IP address 100.31.1.13/16

    Process ID 1 VRF default, area 0.0.0.0

    Enabled by interface configuration

    State BDR, Network type BROADCAST, cost 100

    Index 3, Transmit delay 1 sec, Router Priority 1

    Designated Router ID: 3.3.3.3, address: 100.31.3.13

    Backup Designated Router ID: 1.1.1.1, address: 100.31.1.13

    1 Neighbors, flooding to 1, adjacent with 1

    Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5

      Hello timer due in 00:00:03

    No authentication

    Number of opaque link LSAs: 0, checksum sum 0

Now, the path will be adjusted like below.

The routing table for s1 will be changed like below.

s1# show ip route

1.1.1.1/32, ubest/mbest: 2/0, attached

    *via 1.1.1.1, Lo0, [0/0], 00:24:35, local

    *via 1.1.1.1, Lo0, [0/0], 00:24:35, direct

2.2.2.2/32, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/41], 00:04:23, ospf-1, intra

3.3.3.3/32, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/81], 00:01:52, ospf-1, intra

100.21.0.0/16, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:24:36, direct

100.21.1.11/32, ubest/mbest: 1/0, attached

    *via 100.21.1.11, Eth1/1, [0/0], 00:24:36, local

100.31.0.0/16, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:24:35, direct

100.31.1.13/32, ubest/mbest: 1/0, attached

    *via 100.31.1.13, Eth1/3, [0/0], 00:24:35, local

100.32.0.0/16, ubest/mbest: 1/0

    *via 100.21.2.11, Eth1/1, [110/80], 00:01:52, ospf-1, intra

This is the OSPF cost concept.

 

Reference

 

[ 1 ] https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/15986-admin-distance.html

[ 2 ] http://www.informit.com/articles/article.aspx?p=26129&seqNum=7

[ 3 ] https://www.computernetworkingnotes.com/ccna-study-guide/ospf-metric-cost-calculation-formula-explained.html

[ 4 ] https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/command/reference/unicast/n5500-ucast-cr/n5k-ospf_cmds_a.pdf

[ 5 ] https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2012/pdf/BRKARC-3472.pdf

[ 6 ] https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/interfaces/configuration/guide/if_cli/if_layer3int.html

[ 7 ] https://community.cisco.com/t5/networking-documents/how-to-configure-ospf-cost/ta-p/3133153

How to work BGP synchronize and next hop self with Nexus?

 

I have already written about BGP concept simply in this another blog in Korean. For the BGP synchronization, I have also written in this blog in Korean. For Next hop self concept, this blog will be helpful. Please do not worry even if you can not read Korean. In this post, I will reproduce this synchorization and next-hop-self with nexus switches.

 

1. Pre-requisite

 

This is my environment for this post. I will configure step by step with below. For "OSPF1 + AS1" part

s1 (lo1 110.0.0.1)

s2 (lo1 110.0.0.2)

s3 (lo1 110.0.0.3)

feature ospf

feature bgp

interface Ethernet1/2

  no switchport

  ip address 100.21.1.12/16

  ip router ospf 1 area 0.0.0.1

  no shutdown

interface Ethernet1/3

  no switchport

  ip address 100.31.1.13/16

  ip router ospf 1 area 0.0.0.1

  no shutdown

interface loopback0

  ip address 110.0.0.1/32

  ip router ospf 1 area 0.0.0.1

router ospf 1

  router-id 110.0.0.1

feature ospf

feature bgp

interface Ethernet1/1

  no switchport

  ip address 100.42.2.11/16

  no shutdown

interface Ethernet1/2

  no switchport

  ip address 100.21.2.12/16

  ip router ospf 1 area 0.0.0.1

  no shutdown

interface loopback0

  ip address 110.0.0.2/32

  ip router ospf 1 area 0.0.0.1

router ospf 1

  router-id 110.0.0.2

router bgp 1

  router-id 110.0.0.2

  log-neighbor-changes

  address-family ipv4 unicast

    network 110.0.0.2/32

  neighbor 100.42.4.11

    remote-as 2

    log-neighbor-changes

    update-source loopback0

    address-family ipv4 unicast

  neighbor 110.0.0.3

    remote-as 1

    update-source loopback0

    address-family ipv4 unicast

feature ospf

feature bgp

interface Ethernet1/1

  no switchport

  ip address 100.63.3.11/16

  no shutdown

interface Ethernet1/3

  no switchport

  ip address 100.31.3.13/16

  ip router ospf 1 area 0.0.0.1

  no shutdown

interface loopback0

  ip address 110.0.0.3/32

  ip router ospf 1 area 0.0.0.1

router ospf 1

  router-id 110.0.0.3

router bgp 1

  router-id 110.0.0.3

  address-family ipv4 unicast

    network 110.0.0.3/32

  neighbor 100.63.6.11

    remote-as 3

    update-source loopback0

    address-family ipv4 unicast

  neighbor 110.0.0.2

    remote-as 1

    update-source loopback0

    address-family ipv4 unicast

For "OSPF2 + AS2" part

s4 (lo1 110.0.0.4)

s5 (lo1 110.0.0.5)

feature ospf

feature bgp

interface Ethernet1/1

  no switchport

  ip address 100.42.4.11/16

  no shutdown

interface Ethernet1/2

  no switchport

  ip address 100.54.4.12/16

  ip router ospf 2 area 0.0.0.2

  no shutdown

interface loopback0

  ip address 110.0.0.4/32

router ospf 2

  router-id 110.0.0.4

router bgp 2

  router-id 110.0.0.4

  log-neighbor-changes

  address-family ipv4 unicast

    network 110.0.0.4/32

  neighbor 100.42.2.11

    remote-as 1

    log-neighbor-changes

    address-family ipv4 unicast

  neighbor 110.42.2.11

    address-family ipv4 unicast

feature ospf

feature bgp

interface Ethernet1/2

  no switchport

  ip address 100.54.5.12/16

  ip router ospf 2 area 0.0.0.2

  no shutdown

interface loopback0

  ip address 110.0.0.5/32

  ip router ospf 2 area 0.0.0.2

router ospf 2

  router-id 110.0.0.5

For "OSPF3 + AS3" part

s6 (lo1 110.0.0.6)

s7 (lo1 110.0.0.7)

feature ospf

feature bgp

interface Ethernet1/1

  no switchport

  ip address 100.63.6.11/16

  no shutdown

interface Ethernet1/2

  no switchport

  ip address 100.76.6.12/16

  ip router ospf 3 area 0.0.0.3

  no shutdown

interface loopback0

  ip address 110.0.0.6/32

router ospf 3

  router-id 110.0.0.6

router bgp 3

  router-id 110.0.0.6

  log-neighbor-changes

  address-family ipv4 unicast

    network 110.0.0.6/32

  neighbor 100.63.3.11

    remote-as 1

    address-family ipv4 unicast

feature ospf

feature bgp

interface Ethernet1/2

  no switchport

  ip address 100.76.7.12/16

  ip router ospf 3 area 0.0.0.3

  no shutdown

interface loopback0

  ip address 110.0.0.7/32

  ip router ospf 3 area 0.0.0.3

router ospf 3

  router-id 110.0.0.7

This is simple configuration. At this time, it is not perfect in traffic flow. In some case, it can not send each other. For example, S4 (110.0.0.4) and S6 (110.0.0.6) can not transfer the packets each other.

 

2. About BGP synchroization.

 

To verify the BGP synchronization, I have to look the BGP table on S3 switch.

s3# show ip bgp

BGP routing table information for VRF default, address family IPv4 Unicast

BGP table version is 16, Local Router ID is 110.0.0.3

Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best

Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i

njected

Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b

est2

   Network            Next Hop            Metric     LocPrf     Weight Path

*>i110.0.0.2/32       110.0.0.2                         100          0 i

*>l110.0.0.3/32       0.0.0.0                           100      32768 i

  i110.0.0.4/32       100.42.4.11                       100          0 2 i

*>e110.0.0.6/32       100.63.6.11                                    0 3 i

This is so strange. Because I did not "no synchorization" in BGP configuration, "110.0.0.4" should not be displayed. In this blog, the concept of the synchronization will be explained.

I used nexus switch image for this generation. In this instruction, there are default settings. By these values, the BGP table on S3 switch displayed S4 information.

 

3. About Next-Hop-Self.

 

This is not vaild status, even if the BGP table show S4 information. It looks like normal. 

s3# show ip bgp

BGP routing table information for VRF default, address family IPv4 Unicast

BGP table version is 16, Local Router ID is 110.0.0.3

Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best

Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i

njected

Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b

est2

   Network            Next Hop            Metric     LocPrf     Weight Path

*>i110.0.0.2/32       110.0.0.2                         100          0 i

*>l110.0.0.3/32       0.0.0.0                           100      32768 i

  i110.0.0.4/32       100.42.4.11                       100          0 2 i

*>e110.0.0.6/32       100.63.6.11                                    0 3 i

I need to check the "Next Hop" status. "100.42.4.11" is the IP address between S2 and S4. In the routing table on S3, there is no information.

s3# show ip route

IP Route Table for VRF "default"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%' in via output denotes VRF 

100.21.0.0/16, ubest/mbest: 1/0

    *via 100.31.1.13, Eth1/3, [110/80], 1d03h, ospf-1, intra

100.31.0.0/16, ubest/mbest: 1/0, attached

    *via 100.31.3.13, Eth1/3, [0/0], 1d04h, direct

100.31.3.13/32, ubest/mbest: 1/0, attached

    *via 100.31.3.13, Eth1/3, [0/0], 1d04h, local

100.63.0.0/16, ubest/mbest: 1/0, attached

    *via 100.63.3.11, Eth1/1, [0/0], 1d04h, direct

100.63.3.11/32, ubest/mbest: 1/0, attached

    *via 100.63.3.11, Eth1/1, [0/0], 1d04h, local

110.0.0.1/32, ubest/mbest: 1/0

    *via 100.31.1.13, Eth1/3, [110/41], 1d03h, ospf-1, intra

110.0.0.2/32, ubest/mbest: 1/0

    *via 100.31.1.13, Eth1/3, [110/81], 1d03h, ospf-1, intra

110.0.0.3/32, ubest/mbest: 2/0, attached

    *via 110.0.0.3, Lo0, [0/0], 1d04h, local

    *via 110.0.0.3, Lo0, [0/0], 1d04h, direct

110.0.0.6/32, ubest/mbest: 1/0

    *via 100.63.6.11, [20/0], 1d02h, bgp-1, external, tag 3

It is not valid because the nexthop is not valid. To resolve this, there is the 2 ways. First, add the static route. Second, Next-hop-self.

# Add static route on s3

s3(config)# ip route 100.42.0.0/16 110.0.0.1

And then, I can see the BGP table. The status should be changed by valid.

s3# show ip bgp

BGP routing table information for VRF default, address family IPv4 Unicast

BGP table version is 17, Local Router ID is 110.0.0.3

Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best

Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i

njected

Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b

est2

   Network            Next Hop            Metric     LocPrf     Weight Path

*>i110.0.0.2/32       110.0.0.2                         100          0 i

*>l110.0.0.3/32       0.0.0.0                           100      32768 i

*>i110.0.0.4/32       100.42.4.11                       100          0 2 i

*>e110.0.0.6/32       100.63.6.11                                    0 3 i

Now, I will configure "next-hop-self" on s2 switch after remove static route on s3 switch.

# Remove static route on s3

s3(config)# no ip route 100.42.0.0/16 110.0.0.1 

 

# Add next hop self configuratoin on s2

s2(config)# router bgp 1
s2(config-router)# neighbor 110.0.0.3
s2(config-router-neighbor)# address-family ipv4 unicast
s2(config-router-neighbor-af)# next-hop-self
s2(config-router-neighbor-af)# end

Now look at the s3 switch with "show ip bgp" command

s3# show ip bgp

BGP routing table information for VRF default, address family IPv4 Unicast

BGP table version is 19, Local Router ID is 110.0.0.3

Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best

Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i

njected

Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b

est2

   Network            Next Hop            Metric     LocPrf     Weight Path

*>i110.0.0.2/32       110.0.0.2                         100          0 i

*>l110.0.0.3/32       0.0.0.0                           100      32768 i

*>i110.0.0.4/32       110.0.0.2                         100          0 2 i

*>e110.0.0.6/32       100.63.6.11                                    0 3 i

There are 2 change. First, the status is changed as the valid. Second the next hop ip address is changed from "100.42.4.11" to "110.0.0.2". This "next-hop-self" feature make the "ebgp" existance clear. Now I will do again in s3 switch for next step.

s3(config)# router bgp 1

s3(config-router)# nei 110.0.0.2

s3(config-router-neighbor)# address-family ipv4 unicast

s3(config-router-neighbor-af)# next-hop-self

s3(config-router-neighbor-af)# exit

 

4. Troubleshooting.

 

Look at routing table and bgp table on the s4 switch and s6 switch. From s4 switch,

s4# show ip route

IP Route Table for VRF "default"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%' in via output denotes VRF 

100.42.0.0/16, ubest/mbest: 1/0, attached

    *via 100.42.4.11, Eth1/1, [0/0], 1d04h, direct

100.42.4.11/32, ubest/mbest: 1/0, attached

    *via 100.42.4.11, Eth1/1, [0/0], 1d04h, local

100.54.0.0/16, ubest/mbest: 1/0, attached

    *via 100.54.4.12, Eth1/2, [0/0], 1d04h, direct

100.54.4.12/32, ubest/mbest: 1/0, attached

    *via 100.54.4.12, Eth1/2, [0/0], 1d04h, local

110.0.0.2/32, ubest/mbest: 1/0

    *via 100.42.2.11, [20/0], 1d02h, bgp-2, external, tag 1

110.0.0.3/32, ubest/mbest: 1/0

    *via 100.42.2.11, [20/0], 1d02h, bgp-2, external, tag 1

110.0.0.4/32, ubest/mbest: 2/0, attached

    *via 110.0.0.4, Lo0, [0/0], 1d04h, local

    *via 110.0.0.4, Lo0, [0/0], 1d04h, direct

110.0.0.5/32, ubest/mbest: 1/0

    *via 100.54.5.12, Eth1/2, [110/41], 00:40:49, ospf-2, intra

110.0.0.6/32, ubest/mbest: 1/0

    *via 100.42.2.11, [20/0], 00:03:43, bgp-2, external, tag 1

s4# show ip bgp

BGP routing table information for VRF default, address family IPv4 Unicast

BGP table version is 12, Local Router ID is 110.0.0.4

Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best

Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i

njected

Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b

est2

   Network            Next Hop            Metric     LocPrf     Weight Path

*>e110.0.0.2/32       100.42.2.11                                    0 1 i

*>e110.0.0.3/32       100.42.2.11                                    0 1 i

*>l110.0.0.4/32       0.0.0.0                           100      32768 i

*>e110.0.0.6/32       100.42.2.11                                    0 1 3 i

From s6 switch,

s6# show ip route

IP Route Table for VRF "default"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%' in via output denotes VRF 

100.63.0.0/16, ubest/mbest: 1/0, attached

    *via 100.63.6.11, Eth1/1, [0/0], 1d04h, direct

100.63.6.11/32, ubest/mbest: 1/0, attached

    *via 100.63.6.11, Eth1/1, [0/0], 1d04h, local

100.76.0.0/16, ubest/mbest: 1/0, attached

    *via 100.76.6.12, Eth1/2, [0/0], 1d04h, direct

100.76.6.12/32, ubest/mbest: 1/0, attached

    *via 100.76.6.12, Eth1/2, [0/0], 1d04h, local

110.0.0.2/32, ubest/mbest: 1/0

    *via 100.63.3.11, [20/0], 1d02h, bgp-3, external, tag 1

110.0.0.3/32, ubest/mbest: 1/0

    *via 100.63.3.11, [20/0], 1d02h, bgp-3, external, tag 1

110.0.0.4/32, ubest/mbest: 1/0

    *via 100.63.3.11, [20/0], 00:10:28, bgp-3, external, tag 1

110.0.0.6/32, ubest/mbest: 2/0, attached

    *via 110.0.0.6, Lo0, [0/0], 1d04h, local

    *via 110.0.0.6, Lo0, [0/0], 1d04h, direct

110.0.0.7/32, ubest/mbest: 1/0

    *via 100.76.7.12, Eth1/2, [110/41], 00:44:12, ospf-3, intra

s6# show ip bgp

BGP routing table information for VRF default, address family IPv4 Unicast

BGP table version is 15, Local Router ID is 110.0.0.6

Status: s-suppressed, x-deleted, S-stale, d-dampened, h-history, *-valid, >-best

Path type: i-internal, e-external, c-confed, l-local, a-aggregate, r-redist, I-i

njected

Origin codes: i - IGP, e - EGP, ? - incomplete, | - multipath, & - backup, 2 - b

est2

   Network            Next Hop            Metric     LocPrf     Weight Path

*>e110.0.0.2/32       100.63.3.11                                    0 1 i

*>e110.0.0.3/32       100.63.3.11                                    0 1 i

*>e110.0.0.4/32       100.63.3.11                                    0 1 2 i

*>l110.0.0.6/32       0.0.0.0                           100      32768 i

By these informations, I may send traffic each other. However, I can not. Please look at the below, I send the traffic from s4 to s6.

s4# ping 110.0.0.6 source-interface loopback 0

PING 110.0.0.6 (110.0.0.6): 56 data bytes

Request 0 timed out

 

--- 110.0.0.6 ping statistics ---

2 packets transmitted, 0 packets received, 100.00% packet loss

I have to check the routing table s2 and s3 also. They have also information.

s2# show ip route
110.0.0.4/32, ubest/mbest: 1/0
    *via 100.42.4.11, [20/0], 1d03h, bgp-1, external, tag 2
110.0.0.6/32, ubest/mbest: 1/0
    *via 110.0.0.3, [200/0], 00:09:44, bgp-1, internal, tag 3

s3# show ip route
110.0.0.4/32, ubest/mbest: 1/0
    *via 110.0.0.2, [200/0], 00:14:14, bgp-1, internal, tag 2
110.0.0.6/32, ubest/mbest: 1/0
    *via 100.63.6.11, [20/0], 1d02h, bgp-1, external, tag 3

Now, only s1 switch has been left. In s1 switch, I did not configure for BGP. Because of this, s1 can not get any information for s4 and s6. Now I will add static route simply on s1 switch.

s1(config)# ip route 110.0.0.4/32 110.0.0.2

s1(config)# ip route 110.0.0.5/32 110.0.0.2

s1(config)# ip route 110.0.0.6/32 110.0.0.3

s1(config)# ip route 110.0.0.7/32 110.0.0.3

After this configuration add, I can send the traffic

s4# ping 110.0.0.6 source-interface loopback 0

PING 110.0.0.6 (110.0.0.6): 56 data bytes

64 bytes from 110.0.0.6: icmp_seq=0 ttl=251 time=20.858 ms

64 bytes from 110.0.0.6: icmp_seq=1 ttl=251 time=12.801 ms

64 bytes from 110.0.0.6: icmp_seq=2 ttl=251 time=25.59 ms

64 bytes from 110.0.0.6: icmp_seq=3 ttl=251 time=13.339 ms

64 bytes from 110.0.0.6: icmp_seq=4 ttl=251 time=12.694 ms

--- 110.0.0.6 ping statistics ---

5 packets transmitted, 5 packets received, 0.00% packet loss

round-trip min/avg/max = 12.694/17.056/25.59 ms

 

Reference

 

[ 1 ] https://blog.naver.com/happy_jhyo/70151060540

[ 2 ] https://blog.naver.com/happy_jhyo/221284566856

[ 3 ] http://www.nnk.com.au/index.php?option=com_content&view=article&id=22:bgp-synchronization&catid=3:articles&Itemid=5

[ 4 ] https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3_bgp.html

 

How to connect the CISCO Nexus with Ansible over GNS3 simply?

 

I want to deploy and send command to Cisco Nexus OS with this ansible. In fact, I do not have real hardware switch and router, therefore I will use GNS3 simualator for this.

 

1. Environments.

 

To produce this environment. I need CISCO Nexus and Ansible over GNS3. If I want to apply in real world, I will follow this instruction, which explan how to install ansible control node. In GNS3 marketplace, there is appliance which offer the feature for ansible. I will use this.

With this GNS3 appliance, I will produce this topology like below.

After configuration with above topology, I can login every switch/router with SSH like below.

In Network Automation host of GNS3, Ansible is pre-installed. I can verify the version like below. In my case, 2.7.11 is installed.

Now, I am ready to use ansible to deploy CISCO Nexus OS over GNS3.

 

2. Element of Ansible to use.

 

From this instruction, there are serveral elements to use ansible.

When I met these concepts as the network engineer, it is not simple to understand. In my opinions, "Control Node" is the machine to create command and transfer to the switch/router. "Managed Nodes" are the switch/router. Inventory is the list of switch/router to access, which has IP address and username. "Task" is the action which like "show verson" command. "Playbooks" is the group of the "Task". In ansible, there are 2 option to run, ansible and ansible-playbook. I will show detail later in this post.

 

3. Variable Syntax for Ini-stype and Yml formation.

 

In this middle of this instruction, there are syntax example. During create inventory or playbook, I will meet 2 types of files, ini-style and yml format. They have different format to define variable. In ini-sytpe, key=value is correct. In yml format, key:value is correct

 

 

4. Create the Inventory file.

 

"Working with Inventory" and "Build Your Inventory" are instruction how to create Inventory file. This inventory file is the list of switch which can be access with IP address and username. In this inventory file, I can list per host and make group with hosts.

From here, I can verify "/etc/ansible" directory is used default. In this directory, there are 2 files and 1 directory. "ansible.cfg" is the global configuration file. "hosts" is the inventory file.

In this post, I will try to access CISCO Nexus for the network automation. To create Inventory file, I should know how to define the connection method to switch/router. In this instruction, some parameters are explained. At first, I need to how to method to connection. In my case, I will select "network_cli" which is made by "CLI over SSH".

Second, I need what kinds of OS type will be existed. In my case, I have to try to access CISCO Nexus, there It should be nxos.

If I use the "Catalyst", I may use "enable" command. 

With these factors, I can create Inventory file like below. I want to make "gns3_datacenter" which has zone_core, zone_1 and zone 2 elements.

[gns3_datacenter]

[gns3_datacenter:children]
zone_core
zone_1
zone_2

[zone_core]
s_core ansible_host=100.25.2.15 ansible_network_os=nxos ansible_user=admin

[zone_1]
s1 ansible_host=100.23.3.13 ansible_network_os=nxos ansible_user=admin

[zone_2]
s2 ansible_host=100.24.4.14 ansible_network_os=nxos ansible_user=admin

[gns3_datacenter:vars]
ansible_connection=network_cli

":children" option is used to include element into the group. ":vars" option is used to define varaible such as ansibile host and ansible_connection. In this instruction, there are the behavioral inventory parameters

 

5. Create Password valut.

 

So far, I defined the host to access. However, the password part has still left. In ansible, there is the way to protect sensitive variable with ansible-vault such as password.

For this, I need to config file. In this "/etc/ansible/ansible.cfg", vault_password_file is commented. I need to change this part with what I want. In my case, "/etc/ansible/vault_password_file" is used.

After then, I will create vault_password_file with command below.

# echo "ansible_password" > /etc/ansible/vault_password_file

After I create this file, I will create encrypted password with this value.

# ansible-vault encrypt_string --vault-id admin@/etc/ansible/vault_password_file 'ansible' --name 'ansible_password'

ansible-vault encrypt_string --vault-id <H/W username>@<vault_password_file Path> '<H/W password>' --name 'ansible_password'

I will meet this error. I have searched through google so many times. However, I can not find out why this is happen. However, I have to comment "vault_password_file" again in "/etc/ansible/ansible.cfg".

After comment, I can run command above. I will get result like below. Memorize this value. Please note un-comment "vault_password_file".

 

6. Organizing host and group variables

 

I create ansible password with vault. Now I need to add this parameter into the configuration. At this time, I will use "Organizing host and group variables" method. Because the password could be different each Hardware devices. In ansible, "group_vars/" and "host_vars/" will be used to define. Please read this instruction.

Now I will create "group_vars" directory and create file with "group name" in Inventory file. In my case, I will use "gns3_datacenter"

Now I will add the "ansible_password" above into "/etc/ansible/group_vars/gns3_datacenter"

 

7. Create Playbook to run command

 

In this ansible instruction, there is simple example. I will write like below.

root@NetworkAutomation-1:/etc/ansible# cat first_playbook.yml

- name: first playbook

  hosts: gns3_datacenter

  tasks:

  - name: show version

    nxos_command:

      commands: show version

"hosts" parameter mean that group or host name in Inventory file. In the "tasks", I need to add module. In my case, I will use network module. This instruction will be helpful. In this example, I use "nxos_command" module. The below example come from "nxos_command".

 

8. Run Playbook.

 

I will run the playbook with "ansible-playbook" command. In these instructions, "Run your first network ansible command" and "Run the playbook with the command", It will be helpful.

ansible all -i vyos.example.net, -c network_cli -u my_vyos_user -k -m vyos_facts -e ansible_network_os=vyos

the host group(s) to which the command should apply (in this case, all)
the inventory (-i, the device or devices to target - without the trailing comma -i points to an inventory file)
the connection method (-c, the method for connecting and executing ansible)
the user (-u, the username for the SSH connection)
the SSH connection method (-k, please prompt for the password)
the module (-m, the ansible module to run)
an extra variable ( -e, in this case, setting the network OS value)

 

ansible-playbook -i vyos.example.net, -u ansible -k -e ansible_network_os=vyos first_playbook.yml

In my case, I will select second method. I can run the ansible-playbook like below.

 

9. Debug and Display Result.

 

I check everything is good. However, I can not view the result by the monitor. For this, I will use "debug" and "register" concept. Now, I will revise the playbook like below.

# cat first_playbook.yml

- name: first playbook

  hosts: gns3_datacenter

  tasks:

  - name: show version

    nxos_command:

      commands: show version

    register: message

  - debug: var=message.stdout_lines

With red contents, I will get the result like below.

 

10. Troubleshooting

 

If I meet this error, I need to check the username and password. 

To print out the result, I can meet "variable is not defined" message.

I will replace the "register" and "debug" part like below

- name: nxos_command

    nxos_command:

      commands: show version

    register: message

  - debug:

      msg: "{{ message }}"

And then, I will get like this also.

 

Reference 

[ 1 ] https://docs.gns3.com/appliances/cisco-nxosv9k.html

[ 2 ] https://www.youtube.com/watch?v=Pcksyle-roE

[ 3 ] https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-the-control-node

[ 4 ] https://docs.ansible.com/ansible/latest/network/getting_started/basic_concepts.html

[ 5 ] https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html

[ 6 ] https://docs.ansible.com/ansible/latest/network/getting_started/network_differences.html

[ 7 ] https://docs.ansible.com/ansible/latest/network/getting_started/first_playbook.html#create-and-run-your-first-network-ansible-playbook

[ 8 ] https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html

[ 9 ] https://docs.ansible.com/ansible/latest/modules/debug_module.html

[ 10 ] https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#registering-variables

 

 

 

 

 

What is basic BGP community concept?

 

This instruction is good reference. In fact, I will analysis this instruction. BGP community is used for filtering and tagging information over routing information. Therefore, routing table information will be controlled by these condistions. Thus I can select the routing information to advertise or update in the table.

 

1. Pre-requiste (Basic BGP configuration)

This is my environment for this post. 

S1 S2 S3 S4

interface Ethernet1/1 

  no switchport 

  ip address 100.12.1.11/16 

  no shutdown 

interface loopback0 

  ip address 1.1.1.1/32 

interface loopback1 

  ip address 11.11.11.11/32 

!  

router bgp 1 

  router-id 1.1.1.1 

  log-neighbor-changes 

  address-family ipv4 unicast 

    network 1.1.1.1/32 

    network 11.11.11.11/32 

  neighbor 100.12.2.11 

    remote-as 2 

    update-source Ethernet1/1 

    address-family ipv4 unicast

interface Ethernet1/1

  no switchport

  ip address 100.12.2.11/16

  no shutdown

interface Ethernet1/2

  no switchport

  ip address 100.23.2.12/16

  no shutdown

!

interface loopback0

  ip address 2.2.2.2/32

!

interface loopback1

  ip address 22.22.22.22/32

!  

router bgp 2

  router-id 2.2.2.2

  log-neighbor-changes

  address-family ipv4 unicast

    network 2.2.2.2/32

    network 22.22.22.22/32

  neighbor 100.12.1.11

    remote-as 1

    update-source Ethernet1/1

    address-family ipv4 unicast

  neighbor 100.23.3.12

    remote-as 3

    update-source Ethernet1/2

    address-family ipv4 unicast

interface Ethernet1/2

  no switchport

  ip address 100.23.3.12/16

  no shutdown

interface Ethernet1/3

  no switchport

  ip address 100.34.3.13/16

  no shutdown

!

interface loopback0

  ip address 3.3.3.3/32

!

interface loopback1

  ip address 33.33.33.33/32

!

router bgp 3

  router-id 3.3.3.3

  log-neighbor-changes

  address-family ipv4 unicast

    network 3.3.3.3/32

    network 33.33.33.33/32

  neighbor 100.23.2.12

    remote-as 2

    update-source Ethernet1/2

    address-family ipv4 unicast

  neighbor 100.34.4.13

    remote-as 4

    update-source Ethernet1/3

    address-family ipv4 unicast

interface Ethernet1/3

  no switchport

  ip address 100.34.4.13/16

  no shutdown

!

interface loopback0

  ip address 4.4.4.4/32

!

interface loopback1

  ip address 44.44.44.44/32

!

router bgp 4

  router-id 4.4.4.4

  log-neighbor-changes

  address-family ipv4 unicast

    network 4.4.4.4/32

    network 44.44.44.44/32

  neighbor 100.34.3.13

    remote-as 3

    update-source Ethernet1/3

    address-family ipv4 unicast

For nexus, "address-family ipv4 unicast" in neighbor parameter and "address-familiy ipv4 unicast" in global parameter are necessary to advertise to the peer. After configure these, I can verify the routing table and BGP information. From S2

From S3,

From S4

I can confirm that the information from S1 such as "1.1.1.1" and "11.11.11.11" are advertised to S2, S3 and S4.

 

2. Configure send community

 

To use the BGP community, I have to configure "send community". There are 2 types, standard and extended. In this struction, the extended community has more information such as VPN services.

I will added the configuration like below.

S1 S2 S3 S4

router bgp 1

  neighbor 100.12.2.11

    address-family ipv4 unicast

      send-community both

router bgp 2

  neighbor 100.12.1.11

    address-family ipv4 unicast

send-community both

  neighbor 100.23.3.12

    address-family ipv4 unicast

send-community both

router bgp 3

  neighbor 100.23.2.12

    address-family ipv4 unicast

send-community both

  neighbor 100.34.4.13

    address-family ipv4 unicast

send-community both

router bgp 4

  neighbor 100.34.3.13

    address-family ipv4 unicast

send-community both 

Please note that there are any differences of routing table after these configuration above.

 

3. Configure Route-map in and out

 

To use the BGP community, the route-map is necessary. This route-map affect the routing table. In S3, I will add "route-map" configuration.

!

router bgp 1

neighbor 100.12.2.11

address-family ipv4 unicast

route-map to-remote-as2 out

end

!

"route-map to-remote-as2 out" mean that routing information to transfer out will be controlled with this route-map. Therefore, after this configuration, the routing table will be changed. "1.1.1.1" and  "11.11.11.11" are removed

Now, I will add the policy to set community.

ip prefix-list ip-prefix-1 seq 10 permit 1.1.1.1/32
ip prefix-list ip-prefix-2 seq 10 permit 11.11.11.11/32
route-map to-remote-as2 permit 10
  match ip address prefix-list ip-prefix-1
  set community 12:130
route-map to-remote-as2 permit 20
  match ip address prefix-list ip-prefix-2
  set community 12:150

I check the routing table from S4. "1.1.1.1" and "11.11.11.11" will be updated. 

And I can see more detail. I can see the community values are changed on each.

So far, I learn how to set the community with BGP. From now, I will handle how to get the community and use this. This is so similar with above. I will add configure into the S2.

!

router bgp 2

neighbor 100.12.1.11

address-family ipv4 unicast

route-map from-remote-as1 in

end

!

After configure this, the routing table will be changed. "1.1.1.1" and "11.11.11.11" are removed again.

Now, I will add some configuration to get community and use it in S2

ip community-list expanded community-1 seq 1 permit "12:130"

ip community-list expanded community-2 seq 1 permit "12:150"

route-map from-remote-as1 permit 10

  match community community-1

  set local-preference 130

route-map from-remote-as1 permit 20

  match community community-2

  set local-preference 150

These configuration effect S2 routing table like below.

However, it does not effect S3 and S4, even if the community value is left.

 

Reference

 

[ 1 ] https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28784-bgp-community.html

[ 2 ] http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=12

[ 3 ] https://blog.naver.com/happy_jhyo/221291791846

How to outbound external connection of GN3 devices over remote server?

 

I use GNS3 simulator to study network feature sometimes. There is many instruction over internet. In this post, I will introduce how to use NAT fuction to connect to interet for outbound traffic. 

 

1. Pre-requisite.

 

I have local GNS3 client and remote server over Packet.net and AWS Baremetal cloud. In my case, my remote server is the Linux (Ubuntu 16.04) host. After then, I uploaded CiscoNX v9000 in my remote server.  

This is the my environment to re-produce in this post.

 

2. About NAT appliance (DHCP feature).

 

In GNS3, there is NAT appliance. It has the role to connect the physical interface on remote server virtually. This NAT appliance offers DHCP feature to assign IP address. This IP address determined the next hop against the Cisco switch/router. Thus, the Cisco switch/router should have DHCP feature. 

feature dhcp

ip route 0.0.0.0/0 192.168.122.1

 

no ip dhcp relay

no ipv6 dhcp relay

 

interface Ethernet1/1

  no switchport

  ip address dhcp

  no shutdown

After this configuration, I can verify the interface status with "show ip int br" command

And "ip route 0.0.0.0/0 192.168.122.1" is written. In the Linux host (remote server), I can see the interfaces like below.

With this interfaces, the packet will transfer to external side. I can see the masqurade rule in "iptables table" like below.

Now, I can send traffic to outside on switch 1. Please noteh that it is not possible on switch 2.

switch 1(config)# ip domain-lookup


switch 1(config)# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=53 time=19.257 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=2.484 ms

 

3. Configuration NAT Inside and Outside

 

Switch 1 can send the packet to outside, however switch 2 can not. Because "192.168.122.0/24" network can only be masquraded in the remote server. This is the reason why the switch 1 has NAT feature. In this instruction, there is the explation for Cisco NAT concept. 

Inside source translation is for inside --> outside traffic. Outside source translation is for outside --> inside traffic. At first, I will make the direction on Cisco switch 1.

feature nat


interface Ethernet1/1
  no switchport
  ip address dhcp
  ip nat outside
  no shutdown

interface Ethernet1/2
  no switchport
  ip address 172.12.1.12/16
  ip nat inside
  no shutdown

 

4. Create Rule (NAT Policy) for outbound traffic.

 

In this post, I handle only outbound traffic. The main factor is that IP address for all traffic to outside should be changed with Switch 1 interface ethernet 1/1 IP addressIn this post, It will be useful. I want all traffic to be sent.

ip access-list 1
  10 permit ip any any


ip nat inside source list 1 interface Ethernet1/1 overload

 

5. Configure inside network (Switch 2).

 

So far, I made NAT firewall. From this part, it can assume internet network. However, I only use single switch/router simply. 

ip route 0.0.0.0/0 172.12.1.12

interface Ethernet1/2

  no switchport

  ip address 172.12.2.12/16

  no shutdown

This is normal configuration. There is nothing special. After default configuration. I can verify the outbound connection like below over switch 2.

It works now.

 

Reference 

 

[ 1 ] https://docs.gns3.com/1c2Iyiczy6efnv-TS_4Hc7p11gn03-ytz9ukgwFfckDk/index.html

[ 2 ] https://docs.gns3.com/appliances/cisco-nxosv9k.html

[ 3 ] https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_01100.html#concept_F5BFDE98ABA749859F5AD710AC61EFCD

[ 4 ] https://onlyit.tistory.com/entry/How-to-use-a-nat-node-in-gns3

+ Recent posts