Category: Configuration

Reflexive Access List

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

| Continue Reading.. |

Juniper Control Plane Protection

I already wrote about Control Plane Protection in one of my previous posts focused on Cisco device configuration. Here we will make the same thing on Juniper device, I was using Juniper SRX300 and Juniper SRX1500 devices in my lab.

CoPP ??

Control Plane Protection (CoPP) is a method of protecting processor unit, running services on your network device, against excessive flooding. Excessive flooding of traffic aimed towards your router/firewall processor, being that valid or malicious, is always undesirable and can also be dangerous.

A network device, which starts the receive more control traffic that his processor can process, will eventually experience control traffic packet drops and it will lead to some of the router functions to become unstable. Some of the most common control traffic generating services on a router are routing protocols with different update packets, Spanning Tree with BPDU packets, HSRP, CDP, ARP, and different management traffic services like SSH, SNMP, RADIUS etc.

Some of those control plane traffic types are more important than others but they all have in common the fact that they don’t normally use much bandwidth to function. Having that in mind, it is easy to conclude that the situation above with router processor at 100% because of control plane traffic is most surely caused by a DDoS attack towards your device.

More unusual is the situation when a neighboring device is experiencing some kind of malfunction which makes him send large amounts of control plane traffic out of his interfaces towards your device.

CoPP is the best way to avoid this kind of attacks or malfunctions to get in the way of your network device stability. CoPP is basically configuration of QoS inbound to your device control plane (CPU).

CoPP Best Practices

The way to configure CoPP in the most stable and effective way is to use guaranteed minimal available bandwidth for each control plane traffic type.

| Continue Reading.. |

Enable Source-Specific Multicast in Iperf

I was preparing lab environment to test configuration of Source-Specific Multicast on Juniper SRX Equipment and needed a tool to generate and measure Source-Specific Multicast streams.

I was aware that Iperf is a good enough tool to generate and measure multicast and unicast traffic but support for SSM was missing from current version. Fortunately there are always some developers which are interested in networking so one of them developed a special Iperf version 2.0.5 with SSM support.

The idea here is to show how to make this version of Iperf work on your Cent OS or similar Linux machine.

Here are few steps that should work from your Cent OS 6.8 Linux Server and hopefully from other similar distributions to:

| Continue Reading.. |

Source-Specific Multicast Configuration

In SSM, Source-Specific Multicast, things are done differently from standard multicast forwarding. SSM is specifying a group of hosts that are receiving same multicast stream using group IP address and additionally using stream unicast source IP.

In this article it is shown how to configure Source Specific Multicast on Cisco and Juniper equipment.

In standard multicast, forwarding is done using group IP address which is an IP from multicast dedicated range 224.0.0.0/4 (224.0.0.0 – 239.255.255.255) or FF00::/8 in IPv6. Each multicast group IP address is a single address which specifies all hosts receiving a specific stream, streamed towards that group IP address from multicast source. In standard multicast everybody can start to stream with some IP multicast group IP, becoming in that way, the multicast source.

| Continue Reading.. |

ISSU Upgrade of Cisco Catalyst 6880-X VSS Cluster and 6800ia FEX extenders

For a shorter update procedure guide check abbreviated article: Short list of upgrade steps without extensive explanations “Cisco Catalyst 6880-X VSS ISSU Upgrade Steps

Intro

Cisco spoiled us over the years with great and detailed documentation on each technology and hardware component they support. Still, I managed to find a part where documentation is not detailed enough to give you definite number of steps to get things done.

While preparing for software upgrade of Cisco Catalyst 6880-X VSS cluster I stumbled on one of the first examples of outdated and vague procedure for upgrade of Cisco device. Here is my successful ISSU (In-Service Software Upgrade) procedure which I done few days ago. I hope it will help you avoid sweating and hoping that you typed the right thing on a VSS cluster that should not go down at any point 🙂

I included an Acronym Guide at the bottom of the post to guide you trough VSS, ISSU, Cluster, and other mentioned abbreviation which are not described in details here

In my case the environment was Catalyst 6880-X and four 6800ia Fabric Extenders FEX. The same procedure is valid for more on for no FEX extenders.

Cisco Catalyst 6880-X VSS

Cisco Catalyst 6880-X VSS

Get the info on which IOS version is supported to be upgraded with ISSU

Not all IOS images can be upgraded to new IOS versions using In Service procedure to avoid network traffic downtime. In order to get things working, you need to get into Cisco docs and find ISSU supported upgrade matrix document.

| Continue Reading.. |