viernes, 6 de julio de 2018

[Cisco IOS] Pseudowire the easy way

Today I want to illustrate the easiest way to implement Pseudowire using "newer" IOS commands for this. This will be a minimalist implementation, just what we need and nothing else.

The key here is to understand that pseudowires run on top of an MPLS network.
"Pseudowires(PW) are used to provide end-to-end services across an MPLS network. They are the basic building blocks that can provide a point-to-point service as well as a multipoint service such as VPLS, which is practically a mesh of PWs used to create the bridge domain across which the packets flow." [1]

My example below will demonstrate how to trunk a layer 2 circuit delivered by the ISP over layer 3 devices.



I will skip the MPLS configuration, but just know that interfaces between R1 and R2 were configured as follow where X is the router's number.
conf t
!
 mpls label protocol ldp
 !
 interface GigabitEthernet 0/X
  ip address 10.0.0.X 255.255.255.252
  mpls ip
 !
 interface LoopbackX
  ip address 172.16.0.X 255.255.255.255

############## R1 ##############
interface pseudowire1
 encapsulation mpls
 neighbor 172.16.0.2 1
!
interface GigabitEthernet2/0/5
 description ** PSEUDOWIRE - ISP **
 no ip address
 no negotiation auto
 service instance 1 ethernet
  encapsulation untagged , dot1q 1-4094
  l2protocol forward cdp stp lldp
 !
!
l2vpn xconnect context ISP_WAN
 member pseudowire1
 member GigabitEthernet2/0/5 service-instance 1

############## R2 ##############
interface pseudowire1
 encapsulation mpls
 neighbor 172.16.0.1 1
!
interface GigabitEthernet2/0/5
 description ** PSEUDOWIRE - TRUNK **
 no ip address
 negotiation auto
 service instance 1 ethernet
  encapsulation untagged , dot1q 1-4094
  l2protocol forward cdp stp lldp
 !
!
l2vpn xconnect context ISP_WAN
 member pseudowire1
 member GigabitEthernet2/0/5 service-instance 1

############## Switch1 ##############
interface GigabitEthernet1/50
 switchport trunk native vlan 999
 switchport trunk allowed vlan 2018
 switchport mode trunk
 switchport nonegotiate

Pretty simple but powerful, allowing your environment the flexibility you need, please note that this can also be used to create a layer 3 tunnel.

You can verify the operation of the pseudowire with the following commands

show l2vpn service all
show mpls l2transport summary
show interface pseudowire 1
show xconnect all



For more information you can visit the following links:
  • MPLS for Beginners [2][3]
  • MPLS L2VPN Pseudowire Configuration [4]

viernes, 30 de marzo de 2018

[Cisco IOS] Copy files using SCP

I'm ashamed to admit that I discovered this just a couple of days ago, but is way more convenient that using the traditional TFTP method.

Long story short, using this method the router becomes the server instead of the client therefore you send files (which can be from anywhere) instead of download it from a server ("fixed" location).

Prerequisites:
Procedure:
  1. Enable secure copy with ip scp server enable
  2. Start the transfer with pscp -scp FILE.BIN admin@10.20.30.40:FILE.BIN
  3. Once finish disable SCP with no ip scp server enable.





First seen on ccierants.

miércoles, 20 de diciembre de 2017

A life with Cisco VRFs



Without going into much details a a VRF is splitting a router virtually into independent ones.

For more information click here.

When it comes to it's configuration is pretty similar as what you will do normally, but just adding the vrf keyword... most of the time is pretty intuitive but sometimes the commands are completely different and for my own personal reference I decided to have this post as a reminder of a few tricky commands.



Regular commands
VRF aware commands
ping 8.8.8.8
ping vrf INTERNET 8.8.8.8
show ip route
show ip route vrf INTERNET
show crypto ipsec sa
show crypto ipsec sa vrf INTERNET
show ip bgp
show bgp vpnv4 unicast vrf INTERNET
show ip bgp summary
show bgp vpnv4 unicast vrf INTERNET summary
show ipv6 eigrp neighbors
show eigrp address-family ipv6 vrf INTERNET neighbors

>>>>>>>>>>>>>>>>>>>>>>>>>>

Other useful commands that I personally often forget:

Check the light levels of a SFP on a ASR router
sh hw-module subslot 2/0 transceiver 0 status

Check STP topology changes
show spanning-tree detail | in occur|from|exec

Download a capture from a context ASA
https://10.10.10.1/admin/capture/internet/capture1/pcap