Other
These topics are not considered critical because they aren't usually used as a base for something else, but they can easily give you some points if configured correctly.
Having a general idea is probably enough, as long as you know where to look in the documentation for the details.
MAC accounting
Use it to collect statistics about traffic per mac address.
IOS
interface FastEthernet0/0
ip accounting mac-address input
ip accounting mac-address output
IOS-XR
interface TenGigE0/2/0/0
mac-accounting ingress
mac-accounting egress
IP/precedence accounting
Use it to collect statistics about traffic per ip address or per ip precedence.
IOS
R3(config-subif)#ip accounting ?
access-violations Account for IP packets violating access lists on this
interface
output-packets Account for IP packets output on this interface
precedence Count packets by IP precedence on this interface
<cr>
IOS
R3(config)#ip ?
Global IP configuration subcommands:
...
accounting-list Select hosts for which IP accounting information is
kept
accounting-threshold Sets the maximum number of accounting entries
accounting-transits Sets the maximum number of transit entries
...
carrier-delay
For fast convergence use low (or 0) timers, especially for the down timer.
For cpu optimization (after routing instability due to small interface flaps) use higher timers.
i.e. if there is a backup circuit available:
IOS
interface FastEthernet0/0
carrier-delay msec 50
IOS-XR
interface TenGigE0/2/0/0
carrier-delay down 0 up 3000
IP event dampening
It's a mechanism to suppress the effects of excessive interface flapping events on routing protocols and routing tables.
Parameters:
- half-life period
- the penalty is reduced by half after each half-life period (assuming the interface has stopped flapping)
- default: 5 sec
- reuse threshold
- when the penalty drops to the reuse threshold, the route is unsuppressed
- default: 1000 penalties
- suppress threshold
- when the accumulated penalty reaches the suppress threshold, the interface is placed in the dampened state and the route is suppressed
- default: 2000 penalties
- max suppress
- the maximum amount of time an interface can remain dampened when a penalty is assigned to it
- default: 4 x half-life sec
- restart penalty
- initial penalty applied to an interface when it comes up after a router reload
- default: 2000 penalties
IOS
interface FastEthernet0/0
dampening 30 2000 5000 60
R3#sh interfaces dampening
FastEthernet0/0
Flaps Penalty Supp ReuseTm HalfL ReuseV SuppV MaxSTm MaxP Restart
0 0 FALSE 0 30 2000 5000 60 8000 0
IOS-XR
interface TenGigE0/2/0/0
dampening 1 2000 5000 2
IOS-XR half-life and max-suppress values are in mins, while in IOS they are in secs.
Use "debug dampening interface" to verify the dampening procedure.
preconfigure interfaces
If you don't have the actual linecards and/or interfaces, you can use preconfiguration in order to create interfaces in advance, which is a nice way of testing configurations.
IOS-XR
CRS(config)#int preconfigure pos ?
R/S/I/P Preconfig interface in Rack/Slot/Instance/Port format
Type-7 passwords
You can use a key-chain to recover a type 7 password.
NAT
"sh ip nat translations" shows translation for both global routing table and VRFs.
You can use "ip nat inside" on an interface even when the traffic passing through it is labeled.
IP SLA
IP SLA uses active traffic monitoring for measuring network performance.
The information collected includes data about:
- response time
- one-way latency
- jitter
- packet loss
- voice quality scoring
- network resource availability
- application performance
- server response time
Configuration Steps
- Enable the IP SLAs responder (if required)
- Configure the required IP SLAs operation type
- Configure any options available for the specified IP SLAs operation type
- Configure threshold conditions (if required)
- Schedule the operation to run
- Collect the statistics
You can use the following command to find the supported operation types to use for SLA:
IOS
R1#sh ip sla application
IP Service Level Agreement Technologies
Version: Round Trip Time MIB 2.2.0, Infrastructure Engine-II
Supported Operation Types:
802.1agEcho VLAN, EVC, Port, 802.1agJitter VLAN, EVC, Port
dhcp, dns, echo, ftp, http, jitter, lspGroup, lspPing
lspPingPseudowire, lspTrace, , pathEcho, pathJitter
tcpConnect, udpEcho
Supported Features:
IPSLAs Event Publisher
Common parameters:
- frequency (sec)
- the rate at which a specified IP SLAs operation repeats
- request-data-size (bytes)
- the protocol data size in the payload of an IP SLAs operation's request packet
- threshold (msec)
- the upper threshold value for calculating network monitoring statistics
- timeout (msec)
- the amount of time an IP SLAs operation waits for a response from its request packet
It's obvious that if you set the timeout < threshold, then you'll never get over-threshold statistics.
Configuration
IOS
ip sla 1
icmp-echo 2.2.2.2
timeout 40
threshold 20
frequency 30
ip sla schedule 1 life 600 start-time now
Verification
IOS
R1#sh ip sla statistics detail
Round Trip Time (RTT) for Index 1
Type of operation: icmp-echo
Latest RTT: 20 ms
Latest operation start time: *13:25:14.311 UTC Sun Jan 26 2014
Latest operation return code: OK
Over thresholds occurred: FALSE
Number of successes: 1
Number of failures: 0
Operation time to live: 588 sec
Operational state of entry: Active
Last time this entry was reset: *13:25:14.307 UTC Sun Jan 26 2014
R1#sh ip sla statistics detail
Round Trip Time (RTT) for Index 1
Type of operation: icmp-echo
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *13:25:44.311 UTC Sun Jan 26 2014
Latest operation return code: Timeout
Over thresholds occurred: FALSE
Number of successes: 1
Number of failures: 1
Operation time to live: 549 sec
Operational state of entry: Active
Last time this entry was reset: *13:25:14.307 UTC Sun Jan 26 2014
R1#sh ip sla statistics detail
Round Trip Time (RTT) for Index 1
Type of operation: icmp-echo
Latest RTT: 24 ms
Latest operation start time: *13:26:44.311 UTC Sun Jan 26 2014
Latest operation return code: Over threshold
Over thresholds occurred: TRUE
Number of successes: 1
Number of failures: 3
Operation time to live: 505 sec
Operational state of entry: Active
Last time this entry was reset: *13:25:14.307 UTC Sun Jan 26 2014
If you want to change the parameters of an already running sla operation, you have to remove its schedule first and then change it.
If you want to change the type of an already existing sla operation, you have to remove it completely and start over.
IP SLA Responder
The IP SLA Responder listens on a specific port (UDP 1967) for control protocol messages sent by a IP SLAs operation. Upon receipt of the control message, the responder will enable the specified UDP or TCP port for the specified duration.
It can help avoid measuring the processing delay and provide larger accuracy, because it allows the target device to take two time stamps both when the packet arrives on the interface at interrupt level and again just as it is leaving, eliminating the processing time.
To capture one-way delay measurements, NTP must be enabled on both the source router and target router and their clocks need to be synchronized to the same clock source (with the ability to configure a clock tolerance for operations with microsecond precision). One-way jitter measurements do not require clock synchronization.
Configuration
R1
IOS
ip sla 2
udp-jitter 2.2.2.2 4444
timeout 2000
frequency 30
ip sla schedule 2 life 300 start-time now
R2
IOS
ip sla responder
Verification
IOS
R1#sh ip sla statistics detail
Round Trip Time (RTT) for Index 2
Type of operation: jitter
Latest RTT: 22 ms
Latest operation start time: *13:41:02.579 UTC Sun Jan 26 2014
Latest operation return code: OK
RTT Values
Number Of RTT: 10
RTT Min/Avg/Max: 5/22/37 ms
Latency one-way time milliseconds
Number of Latency one-way Samples: 0
Source to Destination Latency one way Min/Avg/Max: 0/0/0 ms
Destination to Source Latency one way Min/Avg/Max: 0/0/0 ms
Source to Destination Latency one way Sum/Sum2: 0/0
Destination to Source Latency one way Sum/Sum2: 0/0
Jitter time milliseconds
Number of SD Jitter Samples: 9
Number of DS Jitter Samples: 9
Source to Destination Jitter Min/Avg/Max: 1/10/24 ms
Destination to Source Jitter Min/Avg/Max: 0/5/20 ms
Source to destination positive jitter Min/Avg/Max: 3/10/24 ms
Source to destination positive jitter Number/Sum/Sum2: 3/31/601
Source to destination negative jitter Min/Avg/Max: 1/9/16 ms
Source to destination negative jitter Number/Sum/Sum2: 6/55/699
Destination to Source positive jitter Min/Avg/Max: 1/6/20 ms
Destination to Source positive jitter Number/Sum/Sum2: 4/25/411
Destination to Source negative jitter Min/Avg/Max: 1/5/13 ms
Destination to Source negative jitter Number/Sum/Sum2: 4/20/190
Interarrival jitterout: 0 Interarrival jitterin: 0
Over thresholds occurred: FALSE
Packet Loss Values
Loss Source to Destination: 0 Loss Destination to Source: 0
Out Of Sequence: 0 Tail Drop: 0 Packet Late Arrival: 0
Packet Skipped: 0
Voice Score Values
Calculated Planning Impairment Factor (ICPIF): 0
Mean Opinion Score (MOS): 0
Number of successes: 3
Number of failures: 0
Operation time to live: 214 sec
Operational state of entry: Active
Last time this entry was reset: *13:40:02.531 UTC Sun Jan 26 2014
IOS
R2#sh ip sla responder
IP SLAs Responder is: Enabled
Number of control message received: 4 Number of errors: 0
Recent sources:
169.254.12.1 [13:41:32.131 UTC Sun Jan 26 2014]
169.254.12.1 [13:41:02.159 UTC Sun Jan 26 2014]
169.254.12.1 [13:40:32.143 UTC Sun Jan 26 2014]
169.254.12.1 [13:40:02.123 UTC Sun Jan 26 2014]
Recent error sources:
IP SLA for MPLS VPN
No major difference exists, you just need to define the VRF to be used for connectivity. Also it's good practice to also define the source address of the operation.
Configuration
IOS
ip sla 3
path-echo 10.0.0.2 source-ip 10.0.0.1
vrf VPN
frequency 30
ip sla schedule 3 life 300 start-time now
Verification
IOS
R1#sh ip sla statistics detail
Round Trip Time (RTT) for Index 3
Type of operation: path-echo
Latest RTT: 60 ms
Latest operation start time: *14:01:35.903 UTC Sun Jan 26 2014
Latest operation return code: OK
Over thresholds occurred: FALSE
Number of successes: 10
Number of failures: 0
Operation time to live: 0
Operational state of entry: Inactive
Last time this entry was reset: *13:57:05.899 UTC Sun Jan 26 2014
You can always use the following command to verify your IP SLA setup and view the default values of all parameters not explicitly configured:
IOS
R1#sh ip sla configuration 3
IP SLAs, Infrastructure Engine-II.
Entry number: 3
Owner:
Tag:
Type of operation to perform: path-echo
Target address/Source address: 10.0.0.2/10.0.0.1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Loose Source Routing: Disabled
Vrf Name: VPN
LSR Path:
Schedule:
Operation frequency (seconds): 30
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): 300
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic paths kept: 5
Number of statistic hops kept: 16
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
Number of history Samples kept: 16
History Filter Type: None
Netflow
Netflow can help in:
- network application and user monitoring
- network analysis and planning
- security analysis, accounting and billing
- traffic engineering
- data warehousing and data mining
Netflow key fields:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 3 protocol type
- Type of service (ToS)
- Input logical interface
Netflow versions
- v1
- initial version
- v5
- adds support for ASN and flow sequence numbers
- v7
- special version for old C6k releases
- v8
- adds support for aggregation caches
- v9
- adds support for new fields and record types using templates
- adds support for IPv6, multicast, MPLS and BGP next hop
- v10
- aka IPFIX
v1, v5, v9 are the most common ones.
IPFIX (an IETF standard) is based on netflow v9.
IOS
interface FastEthernet0/0.34
ip flow ingress
ip flow egress
IOS
R3#sh ip cache flow
IP packet size distribution (20 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.550 .200 .000 .250 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
4 active, 65532 inactive, 14 added
219 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 533256 bytes
0 active, 16384 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-BGP 1 0.0 2 49 0.0 11.7 15.0
UDP-other 8 0.0 1 28 0.0 0.0 15.3
ICMP 1 0.0 5 100 0.0 8.0 15.8
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Total: 10 0.0 1 54 0.0 1.9 15.4
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0.37 34.3.7.7 Fa0/0.34* 46.0.0.8 11 C013 829F 1
Fa0/0.37 34.3.7.7 Fa0/0.34* 46.0.0.8 11 C012 829E 1
Fa0/0.37 34.3.7.7 Fa0/0.34* 46.0.0.8 11 C011 829D 1
Fa0/0.34 169.254.34.4 Local 169.254.34.3 06 5415 00B3 2
When using netflow v9, you can include the BGP next-hop with either the peer-as or the origin-as.
IOS
ip flow-export version 9 origin-as bgp-nexthop
ip flow-export destination 34.0.0.7 3333
IOS
R3#sh ip flow export
Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Destination(1) 34.0.0.7 (3333)
Version 9 flow records, peer-as bgp-nexthop
5 flows exported in 2 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
You can also define the duration of active/inactive flows before they are exported.
You need to find the right balance between short and large timeouts, taking into account the cache size and the cpu load.
IOS
ip flow-cache timeout inactive 30
ip flow-cache timeout active 10
Various options are also available for aggregation caches:
IOS
R3(config)#ip flow-aggregation cache ?
as AS aggregation
as-tos AS-TOS aggregation
bgp-nexthop-tos BGP nexthop TOS aggregation
destination-prefix Destination Prefix aggregation
destination-prefix-tos Destination Prefix TOS aggregation
prefix Prefix aggregation
prefix-port Prefix-port aggregation
prefix-tos Prefix-TOS aggregation
protocol-port Protocol and port aggregation
protocol-port-tos Protocol, port and TOS aggregation
source-prefix Source Prefix aggregation
source-prefix-tos Source Prefix TOS aggregation
You can use two export protocols:
- UDP (default)
- unreliable
- not congestion aware
- SCTP
- uses reliable, partly-reliable or no reliable transmission
- implements congestion control mechanism
IOS
ip flow-export destination 2.2.2.2 2222
ip flow-export destination 3.3.3.3 3333 sctp
backup destination 4.4.4.4 4444
SCTP is supported in IOS > 12.4(4)T.
MPLS egress netflow
It allows you to capture IP flow information for packets that arrive on a router as MPLS packets and that are transmitted as IP packets (i.e. PE=>CE direction).
IOS
interface FastEthernet0/0.17
ip vrf forwarding ONE
mpls netflow egress
IOS
R7#sh mpls forwarding-table vrf ONE 10.1.7.0 24 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 Aggregate 10.1.7.0/24[V] 0
MAC/Encaps=0/0, MRU=0, Tag Stack{}
VPN route: ONE
Feature Quick flag set
Per-packet load-sharing
R7#sh ip cache flow
IP packet size distribution (5 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .000 .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 1 added
4 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
1 active, 1023 inactive, 1 added, 1 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/0.37 10.0.0.3 Fa0/0.17* 10.0.0.1 01 0000 0800 5
Netflow for Layer 2
You can also capture some extra fields that include L2 information, like below:
IOS
R3(config)#ip flow-capture ?
fragment-offset Capture the fragment offset
icmp Capture the ICMP type and code
ip-id Capture the IP id
mac-addresses Capture src and dst MAC addresses
packet-length Capture the max and min packet length
ttl Capture the TTL
vlan-id Capture the VLAN id
IOS
R3#sh ip cache verbose flow
IP packet size distribution (229 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.427 .528 .000 .043 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
2 active, 65534 inactive, 158 added
3870 ager polls, 0 flow alloc failures
Active flows timeout in 10 minutes
Inactive flows timeout in 30 seconds
IP Sub Flow Cache, 533256 bytes
6 active, 16378 inactive, 47 added, 43 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-BGP 57 0.0 2 49 0.0 13.4 25.2
UDP-other 98 0.0 1 28 0.0 0.0 15.7
ICMP 1 0.0 5 100 0.0 8.0 15.8
Total: 156 0.0 1 41 0.0 4.9 19.1
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
BGP: BGP NextHop
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts
Port Msk AS Port Msk AS NextHop B/Pk Active
BGP: BGP NextHop
Fa0/0.37 34.3.7.7 Fa0/0.34* 46.0.0.4 01 00 10 5
0000 /24 0 0800 /32 248 169.254.34.4 100 7.9
BGP: 169.254.34.4
FFlags: 01
MAC: (VLAN id) c208.0618.0000 (037) ca06.13bc.0000 (034)
ICMP type: 8 ICMP code: 0
Fa0/0.34 169.254.34.4 Local 169.254.34.3 06 C0 18 2
5415 /32 0 00B3 /32 0 0.0.0.0 49 17.9
BGP: 0.0.0.0
MAC: (VLAN id) ca06.13bc.0000 (034) 0000.0000.0000 (000)
Netflow for IPv6
You can also export IPv6 flows, like the IPv4 ones.
IOS
interface X
ipv6 flow ingress
ipv6 flow egress
!
ipv6 flow-export destination 5.5.5.5 5555
The same flow parameters apply to IPv6 as well.
An extra option is the ability to specify a minimum mask for prefixes, in order to define the detail of addresses.
Netflow for IPv6 is supported in IOS > 12.3.(7)T.
Netflow for multicast
- ingress
- information about the source and how many times the traffic was replicated
- packets that fail RPF check
- egress
- information about the destination of the traffic flow
IOS
ip multicast netflow output-counters
ip multicast netflow rpf-failure
You also need to enable normal netflow under the relevant interfaces.
Links
PBB (802.1ah) or MAC-in-MAC
Ingress UNI & Tunnel configuration
IOS
interface X
service instance 10 ethernet
encapsulation dot1q 10
bridge-domain 100 c-mac
service instance 20 ethernet
encapsulation dot1q 20
bridge-domain 200 c-mac
!
interface Y
service instance 10 ethernet
encapsulation dot1q 10
bridge-domain 100 c-mac
service instance 20 ethernet
encapsulation dot1q 20
bridge-domain 200 c-mac
!
ethernet mac-tunnel virtual 1
bridge-domain 1111
mac tunnel address destination default 9999.9999.9999
service instance 1 ethernet
encapsulation dot1ah isid 1000
bridge-domain 100 c-mac
service instance 2 ethernet
encapsulation dot1ah isid 2000
bridge-domain 200 c-mac
Egress forwarding can be accomplished using one of the following methods:
L2 bridging with switchport
interface Z
switchport
switchport mode trunk
switchport trunk allowed vlan 1111
L2 bridging with EVC
interface Z
service instance 1 ethernet
encapsulation dot1q 1111
bridge-domain 1111
EoMPLS
interface vlan 1111
xconnect 10.10.10.10 11 encapsulation mpls
VPLS
l2 vfi PBB-VFI manual
vpn id 1111
neighbor 20.20.20.20 22 encapsulation mpls
neighbor 30.30.30.30 33 encapsulation mpls
!
interface vlan 1111
xconnect vfi PBB-VFI
PBB is supported on 7600.
No comments:
Post a Comment